Date: Wed, 11 Jun 2008 18:59:58 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-questions@FreeBSD.ORG, stevefranks@ieee.org Subject: Re: intrusion? find is thrashing my disk every time I boot. Message-ID: <200806111659.m5BGxwiv063927@lurza.secnetix.de> In-Reply-To: <447id4rlof.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert wrote: > "Steve Franks" <stevefranks@ieee.org> writes: > > I'm really no security expert. I don't leave the system up 24/7, and > > I'm on a US DSL connection with a bunch of windows boxes. > > > > Seems to be a recent phenomena, I've started experiencing disk > > thrashing I can hear across the room. ps and top report cvslockd has > > been responsible for the thrashing (which usually occurs at a specific > > time of day (~1 am MST)), but now, find is doing the thrashing at boot > > every time (within the last week at least). Needless to say, I > > haven't changed the system in any way during that week. On windows, > > I'd just assume this to be normal behavior, but on FreeBSD, it's got > > me worried... > > > > I presume the security section of the manual has a good into to > > detecting intruders, but first I'm interested if there is a legitimate > > reason for find to be torturing my disk. I don't run much on my > > system - apache, cvs, portsnap, ssh, that's about it. > > That's not really so little. I would tend to doubt it's a security > issue, but tracking it down is still a good idea. You should be able > to see what user is running the find, using ps(1), and that might give > a clue to what the purpose is (but probably not; it'll probably turn > out to be root). This script might be useful for that purpose: http://www.secnetix.de/olli/scripts/pidtrace Given the process ID of the "find" process on the command line, it will print its parent processes all the way up to init(8). That way you can easily find out if the "find" was started by a cron job, by an rc.d script, or something else. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd (On the statement print "42 monkeys" + "1 snake":) By the way, both perl and Python get this wrong. Perl gives 43 and Python gives "42 monkeys1 snake", when the answer is clearly "41 monkeys and 1 fat snake". -- Jim Fulton
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806111659.m5BGxwiv063927>