[SOLVED] How to diagnose system overexertion?

edbarx · 04-04-2014, 06:18 AM

Special thanks go to upSpawn for being tough with me as that put me on the right thinking track.

------------------------------------------------------------------
System: Debian Wheezy with XFCE4
Installation Method: debootstrap and chroot
Hardware: CPU T4400 2.2GHz Dual Core
Motherboard: eMachines
Bootloader: Independent minimal installation with only root as user and CLI
Suspected Mode of Infection (if any): iceweasel v27 through facebook

Lately, I have been noticing that whenever I visit facebook.com, the processor's fan goes into a fit of frenzy. I know facebook uses script and that this causes some extra load on the CPU, but this, more often than not, does not occur even when I use apt-get to install new packages or to update my system.

I used rkhunter to scan my system with the following results:

A mysterious hidden directory under /etc i.e. /etc/.java
The contents of .java are:

Code:

$ ls -al .java
total 12
drwxr-xr-x  3 root   root   4096 Oct 29 09:58 .
drwxr-x--T 73 edbarx edbarx 4096 Apr  4 12:45 ..
drwxr-xr-x  2 root   root   4096 Oct 29 09:58 .systemPrefs

Code:

$ ls -la .java/.systemPrefs/
total 8
drwxr-xr-x 2 root root 4096 Oct 29 09:58 .
drwxr-xr-x 3 root root 4096 Oct 29 09:58 ..
-rw-r--r-- 1 root root    0 Oct 29 09:58 .system.lock
-rw-r--r-- 1 root root    0 Oct 29 09:58 .systemRootModFile

I know for certain that I didn't create these files.

The report by rkhunter is this:

Code:

# cat rkhunter.log | grep Warning
[11:06:03]   /usr/bin/unhide.rb                              [ Warning ]
[11:06:03] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[11:07:42]   Checking for hidden files and directories       [ Warning ]
[11:07:42] Warning: Hidden directory found: '/etc/.java'

Code:

[11:07:51] System checks summary
[11:07:51] =====================
[11:07:51]
[11:07:51] File properties checks...
[11:07:51] Files checked: 137
[11:07:51] Suspect files: 1
[11:07:51]
[11:07:51] Rootkit checks...
[11:07:51] Rootkits checked : 292
[11:07:51] Possible rootkits: 0
[11:07:51]
[11:07:51] Applications checks...
[11:07:51] All checks skipped
[11:07:51]
[11:07:51] The system checks took: 2 minutes and 13 seconds
[11:07:51]
[11:07:51] Info: End date is Fri Apr  4 11:07:51 BST 2014

Thanks for reading and posting any possible solutions.

Added Later:
I scanned the entire installation with

Code:

# clamscan -vr /

The result is as follows:

Code:

----------- SCAN SUMMARY -----------
Known viruses: 3287292
Engine version: 0.97.8
Scanned directories: 17453
Scanned files: 129734
Infected files: 0
Total errors: 10813
Data scanned: 6483.56 MB
Data read: 14386.43 MB (ratio 0.45:1)
Time: 1448.383 sec (24 m 8 s)

Drakeo · 04-04-2014, 07:03 AM

http://ubuntuforums.org/showthread.php?t=1392240 check it out nothing new but rkhunter did it's job. And will always complain about hidden files in the /etc/ folder.

sundialsvcs · 04-04-2014, 08:55 AM

I strongly discourage the use of "biological memes" like ... "infection."

It will either be an intrusion or malicious software trying to exploit a vulnerability.

unSpawn · 04-04-2014, 01:00 PM

Quote:

Originally Posted by sundialsvcs

I strongly discourage the use of "biological memes" like ... "infection."
It will either be an intrusion or malicious software trying to exploit a vulnerability.

Please do not evangelize unless you also contribute to the OPs topic, thanks.

Quote:

Originally Posted by edbarx

Lately, I have been noticing that whenever I visit facebook.com, the processor's fan goes into a fit of frenzy. I know facebook uses script and that this causes some extra load on the CPU, but this, more often than not, does not occur even when I use apt-get to install new packages or to update my system.

Start by actually monitoring system resources like CPU, RAM and disk by processes. (I'll be moving this thread since I'm sure you've learned and implemented everything from your previous thread and the enclosed links.)

edbarx · 04-04-2014, 02:53 PM

Quote:

Originally Posted by unSpawn

Start by actually monitoring system resources like CPU, RAM and disk by processes. (I'll be moving this thread since I'm sure you've learned and implemented everything from your previous thread and the enclosed links.)

Please, don't bury my thread, as I need advice as to what I should do. The thread you mentioned has been created two years ago. In that time span, there were definitely new additional security-related novelties. Something new may be causing my problem.

metaschima · 04-04-2014, 06:36 PM

Verify that you have the java package installed, that the package checksums and signatures match, and everything should be fine as these are created by the package install. Certainly if you see anything else unusual, investigate it fully.

edbarx · 04-05-2014, 02:04 AM

Under /tmp, I found this:

Code:

/tmp/ssh-w6OVe3BlZW70$ ls -l
total 0
srw------- 1 edbarx edbarx 0 Apr  5 07:12 agent.4290

Code:

/tmp/.X11-unix$ ls -l
total 0
srwxrwxrwx 1 root root 0 Apr  5 07:12 X0
edbarx@edbarx-pc:/tmp/.X11-unix$ rm X0
rm: cannot remove `X0': Operation not permitted

Code:

/tmp$ ls -aRl
.:
total 32
drwxrwxrwt  6 root   root   4096 Apr  5 09:16 .
drwxr-xr-x 24 root   root   4096 Sep 24  2013 ..
drwxrwxrwt  2 root   root   4096 Apr  5 09:12 .ICE-unix
drwx------  2 edbarx edbarx 4096 Apr  5 09:12 pulse-PKdhtXMmr18n
drwx------  2 edbarx edbarx 4096 Apr  5 09:12 ssh-6Y7OMdN66KgB
-r--r--r--  1 root   root     11 Apr  5 09:12 .X0-lock
drwxrwxrwt  2 root   root   4096 Apr  5 09:12 .X11-unix
-rw-------  1 edbarx edbarx  418 Apr  5 09:12 .xfsm-ICE-N6U8CX

./.ICE-unix:
total 8
drwxrwxrwt 2 root   root   4096 Apr  5 09:12 .
drwxrwxrwt 6 root   root   4096 Apr  5 09:16 ..
srwxrwxrwx 1 edbarx edbarx    0 Apr  5 09:12 4285

./pulse-PKdhtXMmr18n:
total 8
drwx------ 2 edbarx edbarx 4096 Apr  5 09:12 .
drwxrwxrwt 6 root   root   4096 Apr  5 09:16 ..

./ssh-6Y7OMdN66KgB:
total 8
drwx------ 2 edbarx edbarx 4096 Apr  5 09:12 .
drwxrwxrwt 6 root   root   4096 Apr  5 09:16 ..
srw------- 1 edbarx edbarx    0 Apr  5 09:12 agent.4285

./.X11-unix:
total 8
drwxrwxrwt 2 root root 4096 Apr  5 09:12 .
drwxrwxrwt 6 root root 4096 Apr  5 09:16 ..
srwxrwxrwx 1 root root    0 Apr  5 09:12 X0

Using rm -rf is potentially dangerous

The fact that there are whole directories owned by root in /tmp boggles me! I deleted all files including directories in /tmp using:

Code:

rm * -rf
rm . -rf

However, when I rebooted the files were recreated again. The agent.**** was resurrected as well.

Added On: 8th April, 2014.
As you can see, I deleted the contents of /tmp. This action is dangerous, so be warned not to do it. If you decide you still want to do it, here is a safer way of performing it: (as root)

Code:

cd /home/your-user-name
mkdir tmp-backup
cp -a /tmp/* ./tmp-backup

Then, if things go wrong, restore /tmp from the backup: (as root)

Code:

cd /home/your-user-name
cp -a ./tmp-backup/* /tmp

In case of a boot failure, you will need to mount the partition containing the installation's /tmp. This can be done as follows:

I will assume the partition containing the installation is: /dev/sda7, your is almost certainly different.

Code:

mkdir /mnt/sda7
mount /dev/sda7 /mnt/sda7
cp -a /mnt/sda7/home/your-user-name/tmp-backup/* /mnt/sda7/tmp
umount /mnt/sda7

unSpawn · 04-05-2014, 03:30 AM

Quote:

Originally Posted by edbarx

Please, don't bury my thread, as I need advice as to what I should do. The thread you mentioned has been created two years ago. In that time span, there were definitely new additional security-related novelties. Something new may be causing my problem.

I'm not going to "bury" your thread, just move it to the Newbie forum. Also you don't post in the Security forum because of more exposure: the case should fit the bill. (I've renamed your thread "How to diagnose system overexertion?" as that seems more fitting.)

Quote:

Originally Posted by edbarx

The fact that there are whole directories owned by root in /tmp boggles me! I deleted all files including directories in /tmp using:

Code:

rm * -rf
rm . -rf

However, when I rebooted the files were recreated again. The agent.**** was resurrected as well.

The thread I mentioned is as much in your interest as it is in the interest of those replying (well, if they actually care to read, that is...) which your reply just underscored: you simply don't know your system well enough to draw the proper conclusion. The first item on your list was the SSH agent UNIX socket (see 'man ssh-agent'), the second one your Xorg UNIX socket (see 'man xorg': "network connections") and the others relate to sound, X sessions and ssh-agent as well.

unSpawn · 04-05-2014, 03:35 AM

...and like I said in the beginning: start by actually monitoring system resources like CPU, RAM and disk by processes. You could simply keep open a terminal window and run something like top or htop when you visit sites you think stress your machine (too) much and see which processes are involved. Then you figure out if the same happens if you disable plugins like Java and Flash and if that doesn't help disable Javascript for the site. Post back your findings!

edbarx · 04-05-2014, 03:46 AM

Thanks for posting some valueable information.

ADDED LATER:
Sadly, the new title of the thread and the section of the forums where it is placed, are misleading.

This thread is not about an overloaded system. In fact, I pay special attention during every installation not to overload my system. I have been doing that since the days I used MS Windows. This is a security issue. That is why I originally placed the thread in the Security section.

I don't use a fit-all installer to install my system. Instead, I use debootstrap and a chroot. I am the author of several howtos, let alone being a 'newbie'. However, if you want to patronize me, why not? I am your toddler, I am helpless as regards to your abuse, but I will not shame myself as to inflict abuse onto others who may irritate me for various reasons.

I have been using GNU/Linux non-stop since 2007 and before.

AwesomeMachine · 04-05-2014, 05:23 AM

The gnuflash-plugin,

gnash

can cause your problem. You can try unistalling it and installing,

flashplugin-nonfree.

Then run,

/usr/sbin/update-flashplugin-nonfree --install

You haven't observed anything out of the ordinary. Those temp files are mostly sockets (virtual files of size 0). Agent.xxxx is probably ssh. If you don't like ssh, you can turn it off with:

update-rc.d

The sound daemon caqn also place a heavy load on the CPU chip. Turn off sound or kill the daemon and see what happens. Use:

top

to diagnose cpu usage. The fan runs faster when the cpu works harder. You might also install:

clamav

if you're worried about malware.

iceweasel (firefox)

periodically dumps memory to swap, if the application has had many tabs left open for hours, or days. That can make the fan noisy.

I hope this helps. I have faith in your ability. Everyone gets stuck once in while. Just keep trying.

unSpawn · 04-05-2014, 06:05 AM

Quote:

Originally Posted by edbarx

Sadly, the new title of the thread and the section of the forums where it is placed, are misleading.

Feel free to use the "Report" button and ask for the thread to be renamed.

Quote:

Originally Posted by edbarx

I am the author of several howtos, let alone being a 'newbie'. (..) I have been using GNU/Linux non-stop since 2007 and before.

It's great to see you are an active member of the Linux Community (not that I couldn't find any HOWTO's written by you BTW) and if the "Newbie forum" doesn't reflect your knowledge of and practical experience with Linux (not that an experienced user would willy-nilly delete file system contents indiscriminately without prior research) then feel free to use the "Report" button and ask for the thread to be moved.

However before you indicate it to be moved to the Linux Security forum:

Quote:

Originally Posted by edbarx

This is a security issue.

you should prove it by gathering data as suggested more than a few times in this thread.

edbarx · 04-05-2014, 06:23 AM

Quote:

Originally Posted by unSpawn

It's great to see you are an active member of the Linux Community (not that I couldn't find any HOWTO's written by you BTW) and if the "Newbie forum" doesn't reflect your knowledge of and practical experience with Linux (not that an experienced user would willy-nilly delete file system contents indiscriminately without prior research)

In the event of a boot failure, I could have easily restored those directories. Boot failure is not the end of the multiverse.

unSpawn · 04-05-2014, 06:40 AM

Quote:

Originally Posted by edbarx

In the event of a boot failure, I could have easily restored those directories. Boot failure is not the end of the multiverse.

That's a reassuring thought (apart from the fact that ssh-agent, Xorg and others will automagically re-initialize those sockets on boot which you, being a knowledgeable long term Linux user, already know) however it does in no way contribute constructively to solving the problem. If there actually is any.

edbarx · 04-05-2014, 07:25 AM

a) I used htop as suggested and logged into facebook. The consequent CPU use for iceweasel 24.4.0 (Wheezy) hovers around 90%.
b) For the bbc.co.uk website the CPU use varies from 5% to 40% but it is most of the time below 20%.
c) For youtube, while viewing a video the CPU use is around 40%.
d) For this forum the CPU use is between 7% and 12%.

All percentages are the CPU use for iceweasel. Hopefully, this sheds some useful light as to the cause.

ADDED LATER:
I think I found the solution. facebook, apparently, uses invisible css animations that consume too much CPU time. I will report later if this fixes the problem.