Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Nov 2008 08:49:19 -0800
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        John Almberg <jalmberg@identry.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: snmpd strangeness
Message-ID:  <20081119164919.GA2347@icarus.home.lan>
In-Reply-To: <BFDB04F6-6032-4CBE-859A-CB2BEE3A4C4E@identry.com>
References:  <BFDB04F6-6032-4CBE-859A-CB2BEE3A4C4E@identry.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 19, 2008 at 10:57:50AM -0500, John Almberg wrote:
> I just noticed something odd and am looking for ideas...
>
> As you can see from the top snippet below, snmpd is getting hammered by 
> something. As a comparison, the load averages for this quad-core  box are 
> usually close to zero.
>
> I'm not even sure I'm using snmpd for anything... not even sure what it 
> is, precisely.
>
> I'm digging into docs at the moment, but any ideas much appreciated.

I'm greatly concerned by the fact that you have a process on your
machine taking up 103% CPU time (possible on a quad-core machine),
taking up 2621MBytes of memory (RSS), yet you have no idea what it is,
what SNMP is, or why said process is running on your machine.  :-)

You can truss the pid to find out what it's doing, but based on the
above I'm not sure the truss output will be of much use to you.

I would recommend finding out who/what started it by looking at the ppid
of the process (ps -alx | grep 45136, then look at the 3rd column which
is the ppid; then do ps -alx | grep {ppid}).  It's very possible the
ppid will be 1, which is init, which means in this case it was probably
started by a script in /usr/local/etc/rc.d.

I would then recommend using gcore on the snmpd pid, which will write
out a very large file (~2.6GB) to $PWD.  You can then examine that
later.

I would then recommend killing it off, then go on a quest to find out
why net-snmpd is on your machine -- and equally as odd, why it's
running.  For this to start, something has to be in /etc/rc.conf to
initialise it.

There's also the possibility that the process running isn't snmpd at
all, but rather a binary of a hacker who has gained access to your box,
especially given that you have no idea what it is.

> last pid: 38974;  load averages:  1.24,  1.40,  1.58
> 342 processes: 6 running, 336 sleeping
> CPU states: 13.7% user,  0.0% nice, 13.9% system,  0.3% interrupt, 72.1% 
> idle
> Mem: 5997M Active, 596M Inact, 420M Wired, 206M Cache, 214M Buf, 457M  
> Free
> Swap: 16G Total, 123M Used, 16G Free
>
>   PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU  
> COMMAND
> 45136 root        1 104    0  2636M  2621M CPU5   4 254.1H 103.91% snmpd
> 37368 www         1  20    0   193M 46232K lockf  6   0:05  3.91% httpd
> 38819 identry     1 -32    0  7688K  2648K CPU0   0   0:02  1.61% top

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081119164919.GA2347>