[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ftpd taking up all my cpu cycles

To: Woodchuck <djv@bedford.net>
Subject: Re: Ftpd taking up all my cpu cycles
From: Colin Harford <colin.harford@mail.su.ualberta.ca>
Date: Thu, 13 Jun 2002 13:56:51 -0600
Cc: Misc Openbsd <misc@openbsd.org>
Edmonton: Alberta, T6G 2J7
User-Agent: Microsoft-Entourage/10.1.0.2006

On 6/13/02 1:36 PM, "Woodchuck" <djv@bedford.net> wrote:

> On Thu, 13 Jun 2002, Colin Harford wrote:
> 
>> So, I was getting some really bad performance of my machine, so when
>> checking top I see this:
> 
> Ick.  More info needed.  Is this host connected to the I'net?  are
> "dump" and "mikeal" legitimate users?  Are they humans?

Both are legitimate human shell accounts with ftp access.

The dump account is ftp only, mikeal has ssh login as well as ftp.

  What do
> they say?  Are the ftpd connections local or network?

The ftp connections are from the internet.

> If this is
> a machine with random users with "shell accounts", connected to the
> net, I'd start thinking that ftpd isn't what it seems, and is instead
> an irc bot or whatever.  Notice that the processes have been "niced".
> It's pretty easy to fakeout ps/top about process name.

Seeing as dump doesn't have the ability to login except via ftp I doubt
this.
> 
> Is it *really* ftpd?  mkdir /proc && mount_procfs /proc /proc, then
> cksum the "file" under the appropriate subdir, should be the same
> as /usr/libexec/ftpd.  (For the process left below, this would
> be /proc/25130/file).

I rebooted the machine so I could get some work done...
> 
> What is ftpd *doing*?  fstat may be your friend here.  See what
> files they have open.  Check the logs: /var/log/ftpd, /var/log/xferlog,
> /var/log/secure...

Empty:
 tail /var/log/ftpd

(kajack!/proc/8731) [root-ttyp0]
# tail /var/log/xferlog

(kajack!/proc/8731) [root-ttyp0]
# tail /var/log/secure
Jun  8 21:00:01 kajack newsyslog[24479]: logfile turned over



also authlog and everything else.

Authlog only has information about ssh.

Look at netstat
> output for the state of any connections to and from these daemons.
> 
> I might want to whack a couple of those procs with a SIGABRT or SIGQUIT
> to get it to dump core, which I would then examine.
> 
Will give it a try when there are more...

> Something is surely fishy.

My thoughts

> 
> Dave
> 
>> When checking ps -aux
>> 
>> dump     25130 10.4  0.1   216   696 ??  RNs   Sun10PM  1253:37.39 ftpd:
> 

Colin Harford    

                                      
Systems and Network Administrator         Apple Product Professional
=================================     
Computer and Network Support         
University of Alberta Students' Union                  
Phone: (780) 492-4241   Fax:  (780) 492-4643
http://www.su.ualberta.ca


"I sense much NT in you, NT leads to Blue Screen.
Blue Screen leads to downtime, downtime leads to suffering.
NT is the path to the darkside."
         - Unknown Unix Jedi

Follow-Ups:
- Re: Ftpd taking up all my cpu cycles
  - From: Jedi/Sector One <j@pureftpd.org>

References:
- Re: Ftpd taking up all my cpu cycles
  - From: Woodchuck <djv@bedford.net>

Prev by Date: Re: List intolerance VS advocacy
Next by Date: Re: List intolerance VS advocacy
Prev by thread: Re: Ftpd taking up all my cpu cycles
Next by thread: Re: Ftpd taking up all my cpu cycles
Index(es):
- Date
- Thread