LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-04-2014, 07:18 AM   #1
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 369

Rep: Reputation: 18
How to diagnose system overexertion?


Special thanks go to upSpawn for being tough with me as that put me on the right thinking track.

------------------------------------------------------------------
System: Debian Wheezy with XFCE4
Installation Method: debootstrap and chroot
Hardware: CPU T4400 2.2GHz Dual Core
Motherboard: eMachines
Bootloader: Independent minimal installation with only root as user and CLI
Suspected Mode of Infection (if any): iceweasel v27 through facebook


Lately, I have been noticing that whenever I visit facebook.com, the processor's fan goes into a fit of frenzy. I know facebook uses script and that this causes some extra load on the CPU, but this, more often than not, does not occur even when I use apt-get to install new packages or to update my system.

I used rkhunter to scan my system with the following results:

A mysterious hidden directory under /etc i.e. /etc/.java
The contents of .java are:
Code:
$ ls -al .java
total 12
drwxr-xr-x  3 root   root   4096 Oct 29 09:58 .
drwxr-x--T 73 edbarx edbarx 4096 Apr  4 12:45 ..
drwxr-xr-x  2 root   root   4096 Oct 29 09:58 .systemPrefs
Code:
$ ls -la .java/.systemPrefs/
total 8
drwxr-xr-x 2 root root 4096 Oct 29 09:58 .
drwxr-xr-x 3 root root 4096 Oct 29 09:58 ..
-rw-r--r-- 1 root root    0 Oct 29 09:58 .system.lock
-rw-r--r-- 1 root root    0 Oct 29 09:58 .systemRootModFile
I know for certain that I didn't create these files.


The report by rkhunter is this:
Code:
# cat rkhunter.log | grep Warning
[11:06:03]   /usr/bin/unhide.rb                              [ Warning ]
[11:06:03] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[11:07:42]   Checking for hidden files and directories       [ Warning ]
[11:07:42] Warning: Hidden directory found: '/etc/.java'
Code:
[11:07:51] System checks summary
[11:07:51] =====================
[11:07:51]
[11:07:51] File properties checks...
[11:07:51] Files checked: 137
[11:07:51] Suspect files: 1
[11:07:51]
[11:07:51] Rootkit checks...
[11:07:51] Rootkits checked : 292
[11:07:51] Possible rootkits: 0
[11:07:51]
[11:07:51] Applications checks...
[11:07:51] All checks skipped
[11:07:51]
[11:07:51] The system checks took: 2 minutes and 13 seconds
[11:07:51]
[11:07:51] Info: End date is Fri Apr  4 11:07:51 BST 2014
Thanks for reading and posting any possible solutions.

Added Later:
I scanned the entire installation with
Code:
# clamscan -vr /
The result is as follows:
Code:
----------- SCAN SUMMARY -----------
Known viruses: 3287292
Engine version: 0.97.8
Scanned directories: 17453
Scanned files: 129734
Infected files: 0
Total errors: 10813
Data scanned: 6483.56 MB
Data read: 14386.43 MB (ratio 0.45:1)
Time: 1448.383 sec (24 m 8 s)

Last edited by edbarx; 04-05-2014 at 10:44 AM.
 
Old 04-04-2014, 08:03 AM   #2
Drakeo
Senior Member
 
Registered: Jan 2008
Location: Urbana IL
Distribution: Slackware, Slacko,
Posts: 3,090
Blog Entries: 3

Rep: Reputation: 324Reputation: 324Reputation: 324Reputation: 324
http://ubuntuforums.org/showthread.php?t=1392240 check it out nothing new but rkhunter did it's job. And will always complain about hidden files in the /etc/ folder.
 
Old 04-04-2014, 09:55 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 7,506

Rep: Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388
I strongly discourage the use of "biological memes" like ... "infection."

It will either be an intrusion or malicious software trying to exploit a vulnerability.
 
Old 04-04-2014, 02:00 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by sundialsvcs View Post
I strongly discourage the use of "biological memes" like ... "infection."
It will either be an intrusion or malicious software trying to exploit a vulnerability.
Please do not evangelize unless you also contribute to the OPs topic, thanks.


Quote:
Originally Posted by edbarx View Post
Lately, I have been noticing that whenever I visit facebook.com, the processor's fan goes into a fit of frenzy. I know facebook uses script and that this causes some extra load on the CPU, but this, more often than not, does not occur even when I use apt-get to install new packages or to update my system.
Start by actually monitoring system resources like CPU, RAM and disk by processes. (I'll be moving this thread since I'm sure you've learned and implemented everything from your previous thread and the enclosed links.)
 
Old 04-04-2014, 03:53 PM   #5
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 369

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by unSpawn View Post
Start by actually monitoring system resources like CPU, RAM and disk by processes. (I'll be moving this thread since I'm sure you've learned and implemented everything from your previous thread and the enclosed links.)
Please, don't bury my thread, as I need advice as to what I should do. The thread you mentioned has been created two years ago. In that time span, there were definitely new additional security-related novelties. Something new may be causing my problem.

Last edited by edbarx; 04-04-2014 at 03:54 PM.
 
Old 04-04-2014, 07:36 PM   #6
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Verify that you have the java package installed, that the package checksums and signatures match, and everything should be fine as these are created by the package install. Certainly if you see anything else unusual, investigate it fully.
 
Old 04-05-2014, 03:04 AM   #7
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 369

Original Poster
Rep: Reputation: 18
Under /tmp, I found this:
Code:
/tmp/ssh-w6OVe3BlZW70$ ls -l
total 0
srw------- 1 edbarx edbarx 0 Apr  5 07:12 agent.4290
Code:
/tmp/.X11-unix$ ls -l
total 0
srwxrwxrwx 1 root root 0 Apr  5 07:12 X0
edbarx@edbarx-pc:/tmp/.X11-unix$ rm X0
rm: cannot remove `X0': Operation not permitted
Code:
/tmp$ ls -aRl
.:
total 32
drwxrwxrwt  6 root   root   4096 Apr  5 09:16 .
drwxr-xr-x 24 root   root   4096 Sep 24  2013 ..
drwxrwxrwt  2 root   root   4096 Apr  5 09:12 .ICE-unix
drwx------  2 edbarx edbarx 4096 Apr  5 09:12 pulse-PKdhtXMmr18n
drwx------  2 edbarx edbarx 4096 Apr  5 09:12 ssh-6Y7OMdN66KgB
-r--r--r--  1 root   root     11 Apr  5 09:12 .X0-lock
drwxrwxrwt  2 root   root   4096 Apr  5 09:12 .X11-unix
-rw-------  1 edbarx edbarx  418 Apr  5 09:12 .xfsm-ICE-N6U8CX

./.ICE-unix:
total 8
drwxrwxrwt 2 root   root   4096 Apr  5 09:12 .
drwxrwxrwt 6 root   root   4096 Apr  5 09:16 ..
srwxrwxrwx 1 edbarx edbarx    0 Apr  5 09:12 4285

./pulse-PKdhtXMmr18n:
total 8
drwx------ 2 edbarx edbarx 4096 Apr  5 09:12 .
drwxrwxrwt 6 root   root   4096 Apr  5 09:16 ..

./ssh-6Y7OMdN66KgB:
total 8
drwx------ 2 edbarx edbarx 4096 Apr  5 09:12 .
drwxrwxrwt 6 root   root   4096 Apr  5 09:16 ..
srw------- 1 edbarx edbarx    0 Apr  5 09:12 agent.4285

./.X11-unix:
total 8
drwxrwxrwt 2 root root 4096 Apr  5 09:12 .
drwxrwxrwt 6 root root 4096 Apr  5 09:16 ..
srwxrwxrwx 1 root root    0 Apr  5 09:12 X0
Using rm -rf is potentially dangerous

The fact that there are whole directories owned by root in /tmp boggles me! I deleted all files including directories in /tmp using:
Code:
rm * -rf
rm . -rf
However, when I rebooted the files were recreated again. The agent.**** was resurrected as well.

Added On: 8th April, 2014.
As you can see, I deleted the contents of /tmp. This action is dangerous, so be warned not to do it. If you decide you still want to do it, here is a safer way of performing it: (as root)
Code:
cd /home/your-user-name
mkdir tmp-backup
cp -a /tmp/* ./tmp-backup
Then, if things go wrong, restore /tmp from the backup: (as root)
Code:
cd /home/your-user-name
cp -a ./tmp-backup/* /tmp
In case of a boot failure, you will need to mount the partition containing the installation's /tmp. This can be done as follows:

I will assume the partition containing the installation is: /dev/sda7, your is almost certainly different.
Code:
mkdir /mnt/sda7
mount /dev/sda7 /mnt/sda7
cp -a /mnt/sda7/home/your-user-name/tmp-backup/* /mnt/sda7/tmp
umount /mnt/sda7

Last edited by edbarx; 04-08-2014 at 04:40 AM.
 
Old 04-05-2014, 04:30 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by edbarx View Post
Please, don't bury my thread, as I need advice as to what I should do. The thread you mentioned has been created two years ago. In that time span, there were definitely new additional security-related novelties. Something new may be causing my problem.
I'm not going to "bury" your thread, just move it to the Newbie forum. Also you don't post in the Security forum because of more exposure: the case should fit the bill. (I've renamed your thread "How to diagnose system overexertion?" as that seems more fitting.)


Quote:
Originally Posted by edbarx View Post
The fact that there are whole directories owned by root in /tmp boggles me! I deleted all files including directories in /tmp using:
Code:
rm * -rf
rm . -rf
However, when I rebooted the files were recreated again. The agent.**** was resurrected as well.
The thread I mentioned is as much in your interest as it is in the interest of those replying (well, if they actually care to read, that is...) which your reply just underscored: you simply don't know your system well enough to draw the proper conclusion. The first item on your list was the SSH agent UNIX socket (see 'man ssh-agent'), the second one your Xorg UNIX socket (see 'man xorg': "network connections") and the others relate to sound, X sessions and ssh-agent as well.

Last edited by unSpawn; 04-05-2014 at 04:33 AM.
 
Old 04-05-2014, 04:35 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
...and like I said in the beginning: start by actually monitoring system resources like CPU, RAM and disk by processes. You could simply keep open a terminal window and run something like top or htop when you visit sites you think stress your machine (too) much and see which processes are involved. Then you figure out if the same happens if you disable plugins like Java and Flash and if that doesn't help disable Javascript for the site. Post back your findings!
 
Old 04-05-2014, 04:46 AM   #10
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 369

Original Poster
Rep: Reputation: 18
Thanks for posting some valueable information.

ADDED LATER:
Sadly, the new title of the thread and the section of the forums where it is placed, are misleading.

This thread is not about an overloaded system. In fact, I pay special attention during every installation not to overload my system. I have been doing that since the days I used MS Windows. This is a security issue. That is why I originally placed the thread in the Security section.

I don't use a fit-all installer to install my system. Instead, I use debootstrap and a chroot. I am the author of several howtos, let alone being a 'newbie'. However, if you want to patronize me, why not? I am your toddler, I am helpless as regards to your abuse, but I will not shame myself as to inflict abuse onto others who may irritate me for various reasons.

I have been using GNU/Linux non-stop since 2007 and before.

Last edited by edbarx; 04-05-2014 at 05:52 AM.
 
Old 04-05-2014, 06:23 AM   #11
AwesomeMachine
Senior Member
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora
Posts: 1,924

Rep: Reputation: 278Reputation: 278Reputation: 278
The gnuflash-plugin,

gnash

can cause your problem. You can try unistalling it and installing,

flashplugin-nonfree.

Then run,

/usr/sbin/update-flashplugin-nonfree --install

You haven't observed anything out of the ordinary. Those temp files are mostly sockets (virtual files of size 0). Agent.xxxx is probably ssh. If you don't like ssh, you can turn it off with:

update-rc.d

The sound daemon caqn also place a heavy load on the CPU chip. Turn off sound or kill the daemon and see what happens. Use:

top

to diagnose cpu usage. The fan runs faster when the cpu works harder. You might also install:

clamav

if you're worried about malware.

iceweasel (firefox)

periodically dumps memory to swap, if the application has had many tabs left open for hours, or days. That can make the fan noisy.

I hope this helps. I have faith in your ability. Everyone gets stuck once in while. Just keep trying.
 
Old 04-05-2014, 07:05 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by edbarx View Post
Sadly, the new title of the thread and the section of the forums where it is placed, are misleading.
Feel free to use the "Report" button and ask for the thread to be renamed.


Quote:
Originally Posted by edbarx View Post
I am the author of several howtos, let alone being a 'newbie'. (..) I have been using GNU/Linux non-stop since 2007 and before.
It's great to see you are an active member of the Linux Community (not that I couldn't find any HOWTO's written by you BTW) and if the "Newbie forum" doesn't reflect your knowledge of and practical experience with Linux (not that an experienced user would willy-nilly delete file system contents indiscriminately without prior research) then feel free to use the "Report" button and ask for the thread to be moved.


However before you indicate it to be moved to the Linux Security forum:
Quote:
Originally Posted by edbarx View Post
This is a security issue.
you should prove it by gathering data as suggested more than a few times in this thread.
 
Old 04-05-2014, 07:23 AM   #13
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 369

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by unSpawn View Post
It's great to see you are an active member of the Linux Community (not that I couldn't find any HOWTO's written by you BTW) and if the "Newbie forum" doesn't reflect your knowledge of and practical experience with Linux (not that an experienced user would willy-nilly delete file system contents indiscriminately without prior research)
In the event of a boot failure, I could have easily restored those directories. Boot failure is not the end of the multiverse.
 
Old 04-05-2014, 07:40 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by edbarx View Post
In the event of a boot failure, I could have easily restored those directories. Boot failure is not the end of the multiverse.
That's a reassuring thought (apart from the fact that ssh-agent, Xorg and others will automagically re-initialize those sockets on boot which you, being a knowledgeable long term Linux user, already know) however it does in no way contribute constructively to solving the problem. If there actually is any.
 
Old 04-05-2014, 08:25 AM   #15
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 369

Original Poster
Rep: Reputation: 18
a) I used htop as suggested and logged into facebook. The consequent CPU use for iceweasel 24.4.0 (Wheezy) hovers around 90%.
b) For the bbc.co.uk website the CPU use varies from 5% to 40% but it is most of the time below 20%.
c) For youtube, while viewing a video the CPU use is around 40%.
d) For this forum the CPU use is between 7% and 12%.

All percentages are the CPU use for iceweasel. Hopefully, this sheds some useful light as to the cause.


ADDED LATER:
I think I found the solution. facebook, apparently, uses invisible css animations that consume too much CPU time. I will report later if this fixes the problem.

Last edited by edbarx; 04-05-2014 at 08:40 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
System crashes (howto diagnose cause) grail Linux - Software 19 09-21-2013 12:20 AM
How to diagnose system freeze chexmix Slackware 21 03-13-2013 01:44 AM
How to diagnose a system freeze Knightron Linux - Newbie 8 11-14-2012 06:51 PM
memory leak (I think) paralyses my system - how to diagnose? Moebius Linux - Software 2 12-15-2004 04:44 PM


All times are GMT -5. The time now is 01:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration