Re: [gentoo-user] Excessive processor usage
On Montag, 6. August 2007, Neil Bothwick wrote: On Mon, 06 Aug 2007 10:49:01 -0400, sean wrote: Hans, Xav, Thank You both, ran the root kit check no problems. Which may not prove much. Rootkit detectors (I prefer rkhunter BTW) are most effective when installed before a computer is open to infection. If you install it on a machine that has already been rootkitted, the rootkit may be able to conceal itself. can we stop the scare tactics now? Or are you sure that YOUR box is rootkit free? And the install cd? Or every other install medium? Why scaring him? Probably is problem is disk access+dma off. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
On Tue, 7 Aug 2007 09:19:40 +0200, Volker Armin Hemmann wrote: Hans, Xav, Thank You both, ran the root kit check no problems. Which may not prove much. Rootkit detectors (I prefer rkhunter BTW) are most effective when installed before a computer is open to infection. If you install it on a machine that has already been rootkitted, the rootkit may be able to conceal itself. can we stop the scare tactics now? It is only a scare tactic if the intent is to frighten, not to inform. Or are you sure that YOUR box is rootkit free? And the install cd? Or every other install medium? As sure as I can be, but I do not blindly assume hat everything is OK because one program, possibly using compromised information, says so. Why scaring him? See above. Probably is problem is disk access+dma off. I agree, heavy disk I/O can cause major slowdowns, but if someone is considering a rootkit infection, they should at least be aware of the facts when looking for it. -- Neil Bothwick You are about to give someone a piece of your mind, something you can ill afford... signature.asc Description: PGP signature
Re: [gentoo-user] Excessive processor usage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Neil Bothwick wrote: I agree, heavy disk I/O can cause major slowdowns, but if someone is considering a rootkit infection, they should at least be aware of the facts when looking for it. I agree. Let's add some data to the thread: http://en.wikipedia.org/wiki/Rootkit http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt nmap your server from outside, full port range tcp, udp. (ok, lots of rootkits still use OOB, IGMP, ICMP, etc for control and data transport). Can you boot from a livecd and run rkhunter AND chkrootkit from it? Do it. If you need off-list help, contact me. - -- Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica SHOW DE FUTURABANDA - Sabado 18 de Agosto 2007 (Speed King, Capital Federal) Entradas anticipadas a traves de www.futurabanda.com.ar - Punk Rock Melodico -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGuFhqAlpOsGhXcE0RCohGAKCDNEEdp5VyftUmjNwSJzxR4VV1MQCeJthp cC2LijA7WV9hTjYnbsocbVw= =ufZS -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
sean a écrit : There seems to be a lot of excessive processor usage and I am trying to track down why. Is anyone able to recommend the best way to track down what is causing the excess processor usage? I have not noticed anything using top. So how do you know there is an excessive processor usage ? Could you describe more precisely what you want to mean ? Thanks Sean Regards, Xavier Parizet -- http://www.linuxant.fr signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Excessive processor usage
sean escribió: There seems to be a lot of excessive processor usage and I am trying to track down why. Is anyone able to recommend the best way to track down what is causing the excess processor usage? I have not noticed anything using top. Thanks Sean If top doesn't show up anything only two things come to my mind: 1) There's no excess processor usage 2) Someone compromised your system and maybe added an application that is using you cpu, but also changed top so it doesn't show this new application (might seem paranoid, but I've seen it before). Abraham -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
On 06/08/07, sean [EMAIL PROTECTED] wrote: There seems to be a lot of excessive processor usage and I am trying to track down why. Is anyone able to recommend the best way to track down what is causing the excess processor usage? I have not noticed anything using top. You might want to look at sysstat for tracking system load: app-admin/sysstat Oprofile will track down exactly what is happening on your box (modulo particularly clever root-kits). It requires kernel support and can be a bit daunting, but is very powerful: dev-util/oprofile Thanks Sean Cheers, Duane. -- I never could learn to drink that blood and call it wine - Bob Dylan -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
Abraham Marín Pérez a écrit : sean escribió: There seems to be a lot of excessive processor usage and I am trying to track down why. Is anyone able to recommend the best way to track down what is causing the excess processor usage? I have not noticed anything using top. Thanks Sean If top doesn't show up anything only two things come to my mind: 1) There's no excess processor usage 2) Someone compromised your system and maybe added an application that is using you cpu, but also changed top so it doesn't show this new application (might seem paranoid, but I've seen it before). Abraham If you want to check there is no such program on your system, I advice you to try chkrootkit, to check there is no such rootkit on your system... Regards, Xavier Parizet -- http://www.linuxant.fr signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Excessive processor usage
Xav' wrote: So how do you know there is an excessive processor usage ? Could you describe more precisely what you want to mean ? Have gkrellm2 monitoring CPU usage and often for varied lengths of time will see a long and increased processor usage, this usually occurs on CPU1. Things get a bit sluggish when this happens. This is a recent problem. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
On Montag, 6. August 2007, sean wrote: Xav' wrote: So how do you know there is an excessive processor usage ? Could you describe more precisely what you want to mean ? Have gkrellm2 monitoring CPU usage and often for varied lengths of time will see a long and increased processor usage, this usually occurs on CPU1. Things get a bit sluggish when this happens. This is a recent problem. I suspect IO. Disk IO makes everything slow. Especially if swap is involved. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
Hi, On Mon, 06 Aug 2007 14:30:01 +0200 Xav' [EMAIL PROTECTED] wrote: If you want to check there is no such program on your system, I advice you to try chkrootkit, to check there is no such rootkit on your system... To put it correctly, since there is _NO_ way to assure that there isn't a rootkit: chkrootkit can be used to check whether there _are_ _known_ rootkits. BTW, there are other, similar programs that do the same. But my point is: You can never be sure, since a hypothesis can't be proven correct, just invalid. If there are indications a rootkit might be present, there's no secure way to remove it but to reinstall. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
Volker Armin Hemmann wrote: On Montag, 6. August 2007, sean wrote: Xav' wrote: So how do you know there is an excessive processor usage ? Could you describe more precisely what you want to mean ? Have gkrellm2 monitoring CPU usage and often for varied lengths of time will see a long and increased processor usage, this usually occurs on CPU1. Things get a bit sluggish when this happens. This is a recent problem. I suspect IO. Disk IO makes everything slow. Especially if swap is involved. Thanks Volker, I will have to look this one over carefully. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
Hans-Werner Hilse wrote: Hi, On Mon, 06 Aug 2007 14:30:01 +0200 Xav' [EMAIL PROTECTED] wrote: If you want to check there is no such program on your system, I advice you to try chkrootkit, to check there is no such rootkit on your system... To put it correctly, since there is _NO_ way to assure that there isn't a rootkit: chkrootkit can be used to check whether there _are_ _known_ rootkits. BTW, there are other, similar programs that do the same. But my point is: You can never be sure, since a hypothesis can't be proven correct, just invalid. If there are indications a rootkit might be present, there's no secure way to remove it but to reinstall. -hwh Hans, Xav, Thank You both, ran the root kit check no problems. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
On Mon, 06 Aug 2007 10:49:01 -0400, sean wrote: Hans, Xav, Thank You both, ran the root kit check no problems. Which may not prove much. Rootkit detectors (I prefer rkhunter BTW) are most effective when installed before a computer is open to infection. If you install it on a machine that has already been rootkitted, the rootkit may be able to conceal itself. -- Neil Bothwick Excuse for the day: daemons did it signature.asc Description: PGP signature
Re: [gentoo-user] Excessive processor usage
On 06 August 2007, sean wrote: Hans-Werner Hilse wrote: Hi, On Mon, 06 Aug 2007 14:30:01 +0200 Xav' [EMAIL PROTECTED] wrote: If you want to check there is no such program on your system, I advice you to try chkrootkit, to check there is no such rootkit on your system... To put it correctly, since there is _NO_ way to assure that there isn't a rootkit: chkrootkit can be used to check whether there _are_ _known_ rootkits. BTW, there are other, similar programs that do the same. But my point is: You can never be sure, since a hypothesis can't be proven correct, just invalid. If there are indications a rootkit might be present, there's no secure way to remove it but to reinstall. -hwh Hans, Xav, Thank You both, ran the root kit check no problems. The problems remain: You can't be sure. :-( Uwe -- Jack Nicholson: My mother never saw the irony in calling me a son of a bitch. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Excessive processor usage
so there is always an assumption On 8/6/07, Uwe Thiem [EMAIL PROTECTED] wrote: On 06 August 2007, sean wrote: Hans-Werner Hilse wrote: Hi, On Mon, 06 Aug 2007 14:30:01 +0200 Xav' [EMAIL PROTECTED] wrote: If you want to check there is no such program on your system, I advice you to try chkrootkit, to check there is no such rootkit on your system... To put it correctly, since there is _NO_ way to assure that there isn't a rootkit: chkrootkit can be used to check whether there _are_ _known_ rootkits. BTW, there are other, similar programs that do the same. But my point is: You can never be sure, since a hypothesis can't be proven correct, just invalid. If there are indications a rootkit might be present, there's no secure way to remove it but to reinstall. -hwh Hans, Xav, Thank You both, ran the root kit check no problems. The problems remain: You can't be sure. :-( Uwe -- Jack Nicholson: My mother never saw the irony in calling me a son of a bitch. -- [EMAIL PROTECTED] mailing list -- / / \ O / \/_( .__ / \ __\/ ) ./ (