[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Ftpd taking up all my cpu cycles
On Thu, 13 Jun 2002, Colin Harford wrote:
> So, I was getting some really bad performance of my machine, so when
> checking top I see this:
Ick. More info needed. Is this host connected to the I'net? are
"dump" and "mikeal" legitimate users? Are they humans? What do
they say? Are the ftpd connections local or network? If this is
a machine with random users with "shell accounts", connected to the
net, I'd start thinking that ftpd isn't what it seems, and is instead
an irc bot or whatever. Notice that the processes have been "niced".
It's pretty easy to fakeout ps/top about process name.
Is it *really* ftpd? mkdir /proc && mount_procfs /proc /proc, then
cksum the "file" under the appropriate subdir, should be the same
as /usr/libexec/ftpd. (For the process left below, this would
What is ftpd *doing*? fstat may be your friend here. See what
files they have open. Check the logs: /var/log/ftpd, /var/log/xferlog,
/var/log/secure... also authlog and everything else. Look at netstat
output for the state of any connections to and from these daemons.
I might want to whack a couple of those procs with a SIGABRT or SIGQUIT
to get it to dump core, which I would then examine.
Something is surely fishy.
> When checking ps -aux
> dump 25130 10.4 0.1 216 696 ?? RNs Sun10PM 1253:37.39 ftpd: