DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you're lucky, it's the kernel doing it's housekeeping. But when it's not the kernel, you might have issues! Your server might be compromised and taken over by malware. Check if your server is chrooted with a specialist tool, I know it exists but lost it's name
A few things you might want to check to determine what is causing this. First, look in crontab to see what if anything is scheduled. Like Dutch Master said, it might just be regular housekeeping stuff. Also, try running Ethereal or tcpdump either on that host, or if possible, between that host and the Internet. If your server is rooted, it might look perfectly normal if you are running Ethereal/tcpdump on the server. Look and see what is going on network wise, and check who your server is connecting to.
If you did the checks proposed by Dutch Master and imemyself, you might want to try some additional things:
You could install and use chkrootkit (there's a deb for that, so you can apt-get it) and rkhunter (rootkit hunter - http://www.rootkit.nl <- the name's misleading, it sounds threatening, I agree, but it's a helpful peace of software!). Of course, this only helps if you're a) rooted and b) a rootkit has been used to achieve this. But it may also help you get an idea of what's really going on (it needn't be malware... /etc/crontab's a good place to start, as Dutch Master has already stated).
How about shutting don sshd for a moment - or prevent root access via SSH (of course, you can only do that if you've got console access and/or another account you can use - but this may be compromised, too)? Did you use and check the output of top (or even better, htop if it's installed), ps, who and last to look for anything unusual?
If you've set up SSH access, check /etc/sudoers for anything that looks unusual - and do that thorougly; if you're using a modified default sudoers file, there might be a lot of junk in there (it's meant to be something like a tutorial, but it's rather easy to hide things between that lot of lines - not very well, though, but it looks confusing enough as it is).
I have root access! Only with ssh! I have no console access!
I cant see anything else in this files.
I have watched the TOP output for hours but nothing!
Okay, I think the problem is more a nasty nuisance than something serious - but I can't be sure, of course.
My own (old) Debian server accesses its disc every few seconds - and I can't seem to do much about it, to be frank. But the CPU load is low, at that (I'm running folding@home as a background process, so basically, the "load"'s always 100%, but I see how much the core system is using).
What baffles me is that your server pushes up network activity without any reason - but there don't seem to be any processes that cause it - which can't be... Could you paste a (short(!), but typical) excerpt of /var/log/syslog that shows what's happening? And: No results from ps axu in the "%CPU" column that show anything? To paste things here, you can use the files you generated with ">" (compare the cli example above); pull them off the server over to the machine you use ssh from in order to copy/paste/edit/cut...
This brings me to another idea: Is there a backup script running on the server - unintentionally, maybe? And if yes, which one? This would cause the server to look for its backup device "elsewhere", maybe for a networked backup server that, of course, isn't there. That'd explain the packet drops you mentionned earlier... But I'm wading the bog here, it's all guesswork...
And last, but not least: What hardware are you using - low RAM, maybe? Low resources in general?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.