Date: Thu, 05 Jun 2008 10:38:56 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: stevefranks@ieee.org Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: intrusion? find is thrashing my disk every time I boot. Message-ID: <447id4rlof.fsf@be-well.ilk.org> In-Reply-To: <539c60b90806041125s6b2fc0cbqbba52225d27e4583@mail.gmail.com> (Steve Franks's message of "Wed\, 4 Jun 2008 11\:25\:41 -0700") References: <539c60b90806041125s6b2fc0cbqbba52225d27e4583@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Steve Franks" <stevefranks@ieee.org> writes: > I'm really no security expert. I don't leave the system up 24/7, and > I'm on a US DSL connection with a bunch of windows boxes. > > Seems to be a recent phenomena, I've started experiencing disk > thrashing I can hear across the room. ps and top report cvslockd has > been responsible for the thrashing (which usually occurs at a specific > time of day (~1 am MST)), but now, find is doing the thrashing at boot > every time (within the last week at least). Needless to say, I > haven't changed the system in any way during that week. On windows, > I'd just assume this to be normal behavior, but on FreeBSD, it's got > me worried... > > I presume the security section of the manual has a good into to > detecting intruders, but first I'm interested if there is a legitimate > reason for find to be torturing my disk. I don't run much on my > system - apache, cvs, portsnap, ssh, that's about it. That's not really so little. I would tend to doubt it's a security issue, but tracking it down is still a good idea. You should be able to see what user is running the find, using ps(1), and that might give a clue to what the purpose is (but probably not; it'll probably turn out to be root). Once you've tried that, you could use sockstat(1) to track down what file the find operation is dumping into. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?447id4rlof.fsf>