Re: Ftpd taking up all my cpu cycles

[Woodchuck <djv@bedford.net>]

On Thu, 13 Jun 2002, Colin Harford wrote:

> So, I was getting some really bad performance of my machine, so when
> checking top I see this:

Ick.  More info needed.  Is this host connected to the I'net?  are
"dump" and "mikeal" legitimate users?  Are they humans?  What do
they say?  Are the ftpd connections local or network?  If this is
a machine with random users with "shell accounts", connected to the
net, I'd start thinking that ftpd isn't what it seems, and is instead
an irc bot or whatever.  Notice that the processes have been "niced".
It's pretty easy to fakeout ps/top about process name.

Is it *really* ftpd?  mkdir /proc && mount_procfs /proc /proc, then
cksum the "file" under the appropriate subdir, should be the same
as /usr/libexec/ftpd.  (For the process left below, this would
be /proc/25130/file).

What is ftpd *doing*?  fstat may be your friend here.  See what
files they have open.  Check the logs: /var/log/ftpd, /var/log/xferlog,
/var/log/secure... also authlog and everything else.  Look at netstat
output for the state of any connections to and from these daemons.

I might want to whack a couple of those procs with a SIGABRT or SIGQUIT
to get it to dump core, which I would then examine.

Something is surely fishy.

Dave

> When checking ps -aux
>
> dump     25130 10.4  0.1   216   696 ??  RNs   Sun10PM  1253:37.39 ftpd: