Andrew Perrin [EMAIL PROTECTED] wrote: > I came upstairs after a weekend mostly away from my computer to find it in > a nearly-hung state. Load (by top) was >10, and there were numerous > /USR/SBIN/CRON entries which, from the logs, look like they were trying to > run exim sessions: > > Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x > /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) > Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x > /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
Looks like a cron job of some sort. Have you checked cron jobs for the user joehill? My guess is there's something scheduled to run every twenty five minutes. Or, something that runs every five, but some of the processes hung. > (etc., etc.) How many were running? What did top say in terms of what was using the most CPU? > The other thing in the ps listing were several (three I think) instances > of: > > modprobe -s -k -- net-pf-10 This is something trying to run IPv6. See: http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/x1877.html It's the IPv6 module. Could be any number of applications. Do you have OpenLDAP, or maybe exim is trying IPv6? > I do not have such a module, either loaded or available on the disk. Because you don't have the IPv6 modules. Yet, something you have installed was compiled with IPv6 support. > What's particularly worrisome is that this machine is behind another > machine running NAT, so it has only a private (192.168.0.x) address. The > NAT machine has nothing particularly suspicious about it. last commands on > both machine show only me logging in. > > I would be a happier person if someone could provide a non-suspicious > explanation for this. How'd I do? :) I know people gave you a lot of pointers on tools 'n such to check out, and if you're worried, you might carry on. However, I think there's something far simpler going on (it really doesn't sound like your system has been compromised). Unfortunately, you may have lost any chance to figure it out. Then again, joehill's crontab should still be there. Mike -- "If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH YOUR LASER CANNONS!" -- Brak GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
pgp00000.pgp
Description: PGP signature
