LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-25-2010, 11:51 AM   #1
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Rep: Reputation: 46
Search all files for something


I think i have a process or something somewhere that is copying a TON of data every night to a computer. Is there a way I can search on the entire RHEL server to see if there's a file/script/process/etc containing the computer's name in it which would be doing the copy on a regular basis? the computers IP has changed so i know its not doing it by ip address, has to be by computer name.
 
Old 03-25-2010, 11:55 AM   #2
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,272

Rep: Reputation: 148Reputation: 148
check the cronjob, is there any job for databackup
#crontab -e
 
Old 03-25-2010, 11:58 AM   #3
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Original Poster
Rep: Reputation: 46
There's nothing in any of my users crontab's that I can see doing it.
 
Old 03-25-2010, 03:14 PM   #4
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Original Poster
Rep: Reputation: 46
Anyone else have any ideas? what i was thinking is if i could search through all the files for the computer's name, that would tell me if there is a script or something out there that could possibly be being ran.
 
Old 03-25-2010, 05:01 PM   #5
roy_lt_69
Member
 
Registered: Aug 2006
Location: Vancouver, BC, Canada
Distribution: Slackware, Bodhi, Mint-xfce
Posts: 182

Rep: Reputation: 21
Have you tried grep and its variants?

But realistically, it maybe some sort of scheduled maintenance program being run on you machine, such as log maintenance, database updates (eg locate), checks for new software updates, etc.
Or maybe you have an open ftp, bittorrent, share service (eg samba), etc?
 
Old 03-25-2010, 05:12 PM   #6
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Original Poster
Rep: Reputation: 46
so far all i've tried was looking in crontabs, not sure where else to go
 
Old 03-25-2010, 05:48 PM   #7
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,085

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
You really haven't given us any useful information:
Quote:
I think i have a process or something somewhere that is copying a TON of data every night to a computer.
"I think" - Evidence please.
"a process or something somewhere" - Evidence please.
"a TON of data" - Evidence please.
"to a computer" - Which computer, on your LAN or the big bad interweb ?

Without more details, we cannot help you.
 
1 members found this post helpful.
Old 03-25-2010, 06:11 PM   #8
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Original Poster
Rep: Reputation: 46
Evidence: from my network monitoring software, I show 100's of GB of data moving from the server to a computer, which is on my lan. The monitoring software cannot narrow down what port the data is going over, only the amount of data going through the server's port on the switch and which direction.

Not sure if that's what you meant by evidence, or what difference all that makes. If it were 500GB or 500MB, something's still sending it, its that something i'm trying to find. Let me try restating the part you quoted with more detail: "100s of GB's of data is being moved off a server to a computer every night. The computer has been wiped and reloaded yet the network traffic still exists between devices, so the workstation is not pulling data, therefore the data must be being sent from the server out to the computer". Not trying to waste anybody's time here with some hypothetical situation, hope I didn't offend you, which i sense I did. I thought it made sense since some people replied with ideas i already tried, maybe not.

I await your response since you can understand my problem now. thanks in advance tredegar.
 
Old 03-25-2010, 06:26 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
On any capable client in the LAN you can have:
- an account of which users are active at what time by looking at output of 'last',
- an account of what commands users execute by searching shell history files and system and daemon logs,
- process accounting to see which users execute what commands,
- detailed process statistics (atop, dstat, collectl) for the same,
- client iptables rules that only "-j LOG" traffic,
- tcpdump or wireshark log traffic,
to start with. Gathering nfo will also help answer roy_lt_69's questions. However the interesting phrase "The computer has been wiped and reloaded" suggests you have had trouble before you posed this question. As tredegar indicated: the more information the better. Something that may sound uninteresting, common or trivial to you may hold clues for others. And what is your "network monitoring software" or what does it offer?
 
Old 03-25-2010, 07:37 PM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
Assuming you mean the target system has been wiped/restored, have you checked the src machine's system crontabs. These are not found under the user's names, but usually something under cron eg on my Centos system
Code:
cd /etc
ls|grep cron

anacrontab
cron.d
cron.daily
cron.deny
cron.hourly
cron.monthly
crontab
cron.weekly
note cron.d is a dir.

The timing of these txfrs is important; there is highly likely to be a log file that has recs around that time.
 
Old 03-26-2010, 09:06 AM   #11
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Original Poster
Rep: Reputation: 46
Quote:
Originally Posted by unSpawn View Post
However the interesting phrase "The computer has been wiped and reloaded" suggests you have had trouble before you posed this question. As tredegar indicated: the more information the better. Something that may sound uninteresting, common or trivial to you may hold clues for others. And what is your "network monitoring software" or what does it offer?
Hi unSpawn. The reason I wiped and reloaded the workstation was nothing more than 1) to eliminate any software/scheduled task/etc on that workstation as the possible culprit. it only takes me 20 minutes to put an image on that workstation, so it wasnt a big deal and instantly eliminated a lot of things that "could" be causing this. The machine was fine, all the hardware checked out ok. It's an XP machine btw, but the server is RHEL.
All the network monitoring software does is show traffic in and out of ports on my switches. So by comparing the charts from the server and this workstation, they match up. I'm just struggling to figure this out because i'm new to Linux. if it was a windows server, I'd be all set figuring this out, and wouldn't be posting on a linux website haha.

Last edited by rjo98; 03-26-2010 at 09:10 AM.
 
Old 03-26-2010, 09:09 AM   #12
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Original Poster
Rep: Reputation: 46
Quote:
Originally Posted by chrism01 View Post
Assuming you mean the target system has been wiped/restored, have you checked the src machine's system crontabs. These are not found under the user's names, but usually something under cron eg on my Centos system
Code:
cd /etc
ls|grep cron

anacrontab
cron.d
cron.daily
cron.deny
cron.hourly
cron.monthly
crontab
cron.weekly
note cron.d is a dir.

The timing of these txfrs is important; there is highly likely to be a log file that has recs around that time.
Thanks ChrisM. I did a grep -r computername * when i was in /etc and didn't find anything. was that the right way to look?
 
Old 03-29-2010, 07:33 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by rjo98 View Post
The reason I wiped and reloaded the workstation was nothing more than 1) to eliminate any software/scheduled task/etc on that workstation as the possible culprit. (..) instantly eliminated a lot of things that "could" be causing this.
Wipe 'n restore ops may seem convenient but done w/o prior investigation just shows that it is not efficient.


Quote:
Originally Posted by rjo98 View Post
The machine was fine (..) It's an XP machine btw
How would you know exactly?
 
Old 03-29-2010, 08:08 AM   #14
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
May I summarise?
  1. Network traffic analysis running on a switch shows hundreds of GB per night going from a RHEL server and a similar amount of traffic going to a WXP workstation.
  2. The workstation has been rebuilt, presumably to a standard configuration; the phenomenon continues.
  3. The OP is new to Linux.

That's it? From 13 posts?!

Why this one workstation? What's special about this one workstation that was special before and after it was rebuilt? The switch port? MAC address? IP address? Name? What happens if some of the things that were the same are changed -- MAC address and switch port, dunno about the others.

On the server side, hundreds of GB per night shouldn't be too hard to spot. Linux has plenty of good tools as already mentioned. Way easier than guessing in the dark and searching files for computer ID strings would be to identify the server processes that are sending all those GB. Makes the needle bigger and the haystack smaller!
 
Old 03-29-2010, 09:23 AM   #15
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,668

Original Poster
Rep: Reputation: 46
Quote:
Originally Posted by catkin View Post
May I summarise?
  1. Network traffic analysis running on a switch shows hundreds of GB per night going from a RHEL server and a similar amount of traffic going to a WXP workstation.
  2. The workstation has been rebuilt, presumably to a standard configuration; the phenomenon continues.
  3. The OP is new to Linux.

That's it? From 13 posts?!

Why this one workstation? What's special about this one workstation that was special before and after it was rebuilt? The switch port? MAC address? IP address? Name? What happens if some of the things that were the same are changed -- MAC address and switch port, dunno about the others.

On the server side, hundreds of GB per night shouldn't be too hard to spot. Linux has plenty of good tools as already mentioned. Way easier than guessing in the dark and searching files for computer ID strings would be to identify the server processes that are sending all those GB. Makes the needle bigger and the haystack smaller!
Good summarization, and yeah it took 13 posts to get there haha. The workstation was reloaded with a standard load used on a few hundred other machines on the same network. We even replaced the motherboard with on-board NIC on the machine as well, to eliminate a bad NIC.

Wish I knew why it was this one workstation, thats why I keep thinking something on the server is looking for that name. I've given it two different IPs on the same subnet, then moved it to a completely different subnet and the problem still occurred. There's no special software loaded on this computer, we've plugged it into different physical ports on the same switch, then on a different switch (during different subnet tests). The MAC address would be different since the on-board NIC was replaced along with the motherboard. The only thing that I can think of that's stayed the same is the computer name, which is why i was trying to look for it on the server. I tried grep'ing through var/logs and didn't find anything, so i thought maybe greping recursively from / would be an idea. I mean, if something is set to do something to that computer name, grep would have to find it in a file somewhere i would think/hope?

I'm not sure how to identify the processes that could be doing this. I'm going to see if i can get wireshark going today, see if that tells me anything if i let it monitor overnight.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to search pdf files? Doug Zhang Linux - Software 7 01-12-2010 11:00 AM
Search tools (Affinity, Tracker Search Tool, etc.) not working - don't find any files Adamantus Linux - Newbie 1 03-30-2009 12:21 AM
can you specify which files to grep search? sneakyimp Linux - Software 4 10-12-2005 09:28 PM
Search for Files vs. ls albean Linux - Newbie 2 11-14-2004 03:35 PM
Search in configuration files fiomba Linux - Software 9 10-31-2004 05:45 PM


All times are GMT -5. The time now is 03:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration