Hi!

I have a debian server.
The CPU is absolutly idle and there is nothing on the server.

The load rise every 10 hours periodic.

I stoped all daemon -> nothing change
There is no new process!
There is permanent 2-3k eth0 input. Is this normal?

What is the problem!

Please help!!!

I have some pictures too!

Please help me!

Here are some pictures:
http://www.sokristaly.hu/load/load-1.gif
http://www.sokristaly.hu/load/load-2.gif
http://www.sokristaly.hu/load/load-3.gif

If you're lucky, it's the kernel doing it's housekeeping. But when it's not the kernel, you might have issues! Your server might be compromised and taken over by malware. Check if your server is chrooted with a specialist tool, I know it exists but lost it's name

A few things you might want to check to determine what is causing this. First, look in crontab to see what if anything is scheduled. Like Dutch Master said, it might just be regular housekeeping stuff. Also, try running Ethereal or tcpdump either on that host, or if possible, between that host and the Internet. If your server is rooted, it might look perfectly normal if you are running Ethereal/tcpdump on the server. Look and see what is going on network wise, and check who your server is connecting to.

galor:

If you did the checks proposed by Dutch Master and imemyself, you might want to try some additional things:

• You could install and use chkrootkit (there's a deb for that, so you can apt-get it) and rkhunter (rootkit hunter - http://www.rootkit.nl <- the name's misleading, it sounds threatening, I agree, but it's a helpful peace of software!). Of course, this only helps if you're a) rooted and b) a rootkit has been used to achieve this. But it may also help you get an idea of what's really going on (it needn't be malware... /etc/crontab's a good place to start, as Dutch Master has already stated).
• How about shutting don sshd for a moment - or prevent root access via SSH (of course, you can only do that if you've got console access and/or another account you can use - but this may be compromised, too)? Did you use and check the output of top (or even better, htop if it's installed), ps, who and last to look for anything unusual?
• If you've set up SSH access, check /etc/sudoers for anything that looks unusual - and do that thorougly; if you're using a modified default sudoers file, there might be a lot of junk in there (it's meant to be something like a tutorial, but it's rather easy to hide things between that lot of lines - not very well, though, but it looks confusing enough as it is).

chkrootkit -> nothing!

crontab -> nothing!
I have stopped cron daemon but nothing change!

sudoers -> nothing!
top, ps, who, last -> nothing!

I have no console access to the server only ssh!


tcpdump show lot of packages but kernel drops 99percent.
I don't see anything unusual.

rkhunter -> nothing!

Do you have root access (sorry to ask again, but ps and top won't help much if you aren't root)? If yes, do at a time when load is highest:
then browse the column "%CPU" for a process that's very active (or unusually so):
What does
say under such circumstances?

Anything strange in one of those files (*dump)?

Doesn't look too bad, then, does it? Situation still unchanged?

Another hunch I got right now: Is that a shared server or entirely yours?

I have root access! Only with ssh! I have no console access!
I cant see anything else in this files.
I have watched the TOP output for hours but nothing!

Thank you for the help!!!

This is a new server! Entirely mine!

I have other servers with 2.4.27 kernel and with the same packages and
there is no load.

There is 2.6.15 kernel on this server. This server is in another server room!
These are the only things are diferent.

Okay, I think the problem is more a nasty nuisance than something serious - but I can't be sure, of course.

My own (old) Debian server accesses its disc every few seconds - and I can't seem to do much about it, to be frank. But the CPU load is low, at that (I'm running folding@home as a background process, so basically, the "load"'s always 100%, but I see how much the core system is using).

What baffles me is that your server pushes up network activity without any reason - but there don't seem to be any processes that cause it - which can't be... Could you paste a (short(!), but typical) excerpt of /var/log/syslog that shows what's happening? And: No results from ps axu in the "%CPU" column that show anything? To paste things here, you can use the files you generated with ">" (compare the cli example above); pull them off the server over to the machine you use ssh from in order to copy/paste/edit/cut...

This brings me to another idea: Is there a backup script running on the server - unintentionally, maybe? And if yes, which one? This would cause the server to look for its backup device "elsewhere", maybe for a networked backup server that, of course, isn't there. That'd explain the packet drops you mentionned earlier... But I'm wading the bog here, it's all guesswork...

And last, but not least: What hardware are you using - low RAM, maybe? Low resources in general?

Ermmm the kernel (or tcpdump) drops 99%, not so usual to me!!
Try to redirect the output to a file.

This is the easiest thing to look at, a traffic analyzer.