Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Special thanks go to upSpawn for being tough with me as that put me on the right thinking track.
------------------------------------------------------------------
System: Debian Wheezy with XFCE4
Installation Method: debootstrap and chroot
Hardware: CPU T4400 2.2GHz Dual Core
Motherboard: eMachines
Bootloader: Independent minimal installation with only root as user and CLI
Suspected Mode of Infection (if any): iceweasel v27 through facebook
Lately, I have been noticing that whenever I visit facebook.com, the processor's fan goes into a fit of frenzy. I know facebook uses script and that this causes some extra load on the CPU, but this, more often than not, does not occur even when I use apt-get to install new packages or to update my system.
I used rkhunter to scan my system with the following results:
A mysterious hidden directory under /etc i.e. /etc/.java
The contents of .java are:
Code:
$ ls -al .java
total 12
drwxr-xr-x 3 root root 4096 Oct 29 09:58 .
drwxr-x--T 73 edbarx edbarx 4096 Apr 4 12:45 ..
drwxr-xr-x 2 root root 4096 Oct 29 09:58 .systemPrefs
Code:
$ ls -la .java/.systemPrefs/
total 8
drwxr-xr-x 2 root root 4096 Oct 29 09:58 .
drwxr-xr-x 3 root root 4096 Oct 29 09:58 ..
-rw-r--r-- 1 root root 0 Oct 29 09:58 .system.lock
-rw-r--r-- 1 root root 0 Oct 29 09:58 .systemRootModFile
I know for certain that I didn't create these files.
The report by rkhunter is this:
Code:
# cat rkhunter.log | grep Warning
[11:06:03] /usr/bin/unhide.rb [ Warning ]
[11:06:03] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[11:07:42] Checking for hidden files and directories [ Warning ]
[11:07:42] Warning: Hidden directory found: '/etc/.java'
Code:
[11:07:51] System checks summary
[11:07:51] =====================
[11:07:51]
[11:07:51] File properties checks...
[11:07:51] Files checked: 137
[11:07:51] Suspect files: 1
[11:07:51]
[11:07:51] Rootkit checks...
[11:07:51] Rootkits checked : 292
[11:07:51] Possible rootkits: 0
[11:07:51]
[11:07:51] Applications checks...
[11:07:51] All checks skipped
[11:07:51]
[11:07:51] The system checks took: 2 minutes and 13 seconds
[11:07:51]
[11:07:51] Info: End date is Fri Apr 4 11:07:51 BST 2014
Thanks for reading and posting any possible solutions.
Added Later:
I scanned the entire installation with
Code:
# clamscan -vr /
The result is as follows:
Code:
----------- SCAN SUMMARY -----------
Known viruses: 3287292
Engine version: 0.97.8
Scanned directories: 17453
Scanned files: 129734
Infected files: 0
Total errors: 10813
Data scanned: 6483.56 MB
Data read: 14386.43 MB (ratio 0.45:1)
Time: 1448.383 sec (24 m 8 s)
I strongly discourage the use of "biological memes" like ... "infection."
It will either be an intrusion or malicious software trying to exploit a vulnerability.
Please do not evangelize unless you also contribute to the OPs topic, thanks.
Quote:
Originally Posted by edbarx
Lately, I have been noticing that whenever I visit facebook.com, the processor's fan goes into a fit of frenzy. I know facebook uses script and that this causes some extra load on the CPU, but this, more often than not, does not occur even when I use apt-get to install new packages or to update my system.
Start by actually monitoring system resources like CPU, RAM and disk by processes. (I'll be moving this thread since I'm sure you've learned and implemented everything from your previous thread and the enclosed links.)
Start by actually monitoring system resources like CPU, RAM and disk by processes. (I'll be moving this thread since I'm sure you've learned and implemented everything from your previous thread and the enclosed links.)
Please, don't bury my thread, as I need advice as to what I should do. The thread you mentioned has been created two years ago. In that time span, there were definitely new additional security-related novelties. Something new may be causing my problem.
Verify that you have the java package installed, that the package checksums and signatures match, and everything should be fine as these are created by the package install. Certainly if you see anything else unusual, investigate it fully.
The fact that there are whole directories owned by root in /tmp boggles me! I deleted all files including directories in /tmp using:
Code:
rm * -rf
rm . -rf
However, when I rebooted the files were recreated again. The agent.**** was resurrected as well.
Added On: 8th April, 2014.
As you can see, I deleted the contents of /tmp. This action is dangerous, so be warned not to do it. If you decide you still want to do it, here is a safer way of performing it: (as root)
Code:
cd /home/your-user-name
mkdir tmp-backup
cp -a /tmp/* ./tmp-backup
Then, if things go wrong, restore /tmp from the backup: (as root)
Code:
cd /home/your-user-name
cp -a ./tmp-backup/* /tmp
In case of a boot failure, you will need to mount the partition containing the installation's /tmp. This can be done as follows:
I will assume the partition containing the installation is: /dev/sda7, your is almost certainly different.
Code:
mkdir /mnt/sda7
mount /dev/sda7 /mnt/sda7
cp -a /mnt/sda7/home/your-user-name/tmp-backup/* /mnt/sda7/tmp
umount /mnt/sda7
Please, don't bury my thread, as I need advice as to what I should do. The thread you mentioned has been created two years ago. In that time span, there were definitely new additional security-related novelties. Something new may be causing my problem.
I'm not going to "bury" your thread, just move it to the Newbie forum. Also you don't post in the Security forum because of more exposure: the case should fit the bill. (I've renamed your thread "How to diagnose system overexertion?" as that seems more fitting.)
Quote:
Originally Posted by edbarx
The fact that there are whole directories owned by root in /tmp boggles me! I deleted all files including directories in /tmp using:
Code:
rm * -rf
rm . -rf
However, when I rebooted the files were recreated again. The agent.**** was resurrected as well.
The thread I mentioned is as much in your interest as it is in the interest of those replying (well, if they actually care to read, that is...) which your reply just underscored: you simply don't know your system well enough to draw the proper conclusion. The first item on your list was the SSH agent UNIX socket (see 'man ssh-agent'), the second one your Xorg UNIX socket (see 'man xorg': "network connections") and the others relate to sound, X sessions and ssh-agent as well.
...and like I said in the beginning: start by actually monitoring system resources like CPU, RAM and disk by processes. You could simply keep open a terminal window and run something like top or htop when you visit sites you think stress your machine (too) much and see which processes are involved. Then you figure out if the same happens if you disable plugins like Java and Flash and if that doesn't help disable Javascript for the site. Post back your findings!
ADDED LATER:
Sadly, the new title of the thread and the section of the forums where it is placed, are misleading.
This thread is not about an overloaded system. In fact, I pay special attention during every installation not to overload my system. I have been doing that since the days I used MS Windows. This is a security issue. That is why I originally placed the thread in the Security section.
I don't use a fit-all installer to install my system. Instead, I use debootstrap and a chroot. I am the author of several howtos, let alone being a 'newbie'. However, if you want to patronize me, why not? I am your toddler, I am helpless as regards to your abuse, but I will not shame myself as to inflict abuse onto others who may irritate me for various reasons.
I have been using GNU/Linux non-stop since 2007 and before.
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
The gnuflash-plugin,
gnash
can cause your problem. You can try unistalling it and installing,
flashplugin-nonfree.
Then run,
/usr/sbin/update-flashplugin-nonfree --install
You haven't observed anything out of the ordinary. Those temp files are mostly sockets (virtual files of size 0). Agent.xxxx is probably ssh. If you don't like ssh, you can turn it off with:
update-rc.d
The sound daemon caqn also place a heavy load on the CPU chip. Turn off sound or kill the daemon and see what happens. Use:
top
to diagnose cpu usage. The fan runs faster when the cpu works harder. You might also install:
clamav
if you're worried about malware.
iceweasel (firefox)
periodically dumps memory to swap, if the application has had many tabs left open for hours, or days. That can make the fan noisy.
I hope this helps. I have faith in your ability. Everyone gets stuck once in while. Just keep trying.
Sadly, the new title of the thread and the section of the forums where it is placed, are misleading.
Feel free to use the "Report" button and ask for the thread to be renamed.
Quote:
Originally Posted by edbarx
I am the author of several howtos, let alone being a 'newbie'. (..) I have been using GNU/Linux non-stop since 2007 and before.
It's great to see you are an active member of the Linux Community (not that I couldn't find any HOWTO's written by you BTW) and if the "Newbie forum" doesn't reflect your knowledge of and practical experience with Linux (not that an experienced user would willy-nilly delete file system contents indiscriminately without prior research) then feel free to use the "Report" button and ask for the thread to be moved.
However before you indicate it to be moved to the Linux Security forum:
Quote:
Originally Posted by edbarx
This is a security issue.
you should prove it by gathering data as suggested more than a few times in this thread.
It's great to see you are an active member of the Linux Community (not that I couldn't find any HOWTO's written by you BTW) and if the "Newbie forum" doesn't reflect your knowledge of and practical experience with Linux (not that an experienced user would willy-nilly delete file system contents indiscriminately without prior research)
In the event of a boot failure, I could have easily restored those directories. Boot failure is not the end of the multiverse.
In the event of a boot failure, I could have easily restored those directories. Boot failure is not the end of the multiverse.
That's a reassuring thought (apart from the fact that ssh-agent, Xorg and others will automagically re-initialize those sockets on boot which you, being a knowledgeable long term Linux user, already know) however it does in no way contribute constructively to solving the problem. If there actually is any.
a) I used htop as suggested and logged into facebook. The consequent CPU use for iceweasel 24.4.0 (Wheezy) hovers around 90%.
b) For the bbc.co.uk website the CPU use varies from 5% to 40% but it is most of the time below 20%.
c) For youtube, while viewing a video the CPU use is around 40%.
d) For this forum the CPU use is between 7% and 12%.
All percentages are the CPU use for iceweasel. Hopefully, this sheds some useful light as to the cause.
ADDED LATER:
I think I found the solution. facebook, apparently, uses invisible css animations that consume too much CPU time. I will report later if this fixes the problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.