cpu ......100%......

mohama · 01-05-2006, 06:22 PM

hey ,

i noticed that some times my cpu usage is 100% , although i do not run any programs except maybe a mozilla browser and amarok mp3 player , the point is that it stuke like that all the time ... when i checked to know what proccess causes this i find that it's the X ...

any body know what does this mean ?? and what is the reason of this ?? and how to solve this problem ... !
thank you all very much ,
muhammad-sameer ,

mohama · 01-05-2006, 06:24 PM

it's the x command it's user is root , it have an argument like this : -
/etc/X11/X -deferglyphs 16:0 -auth /var/run/xauth/A:0-5MZFyZ ...
it take about 175 MB

i have no idea what is this supposed to be ..?!

m-s

btmiller · 01-05-2006, 07:50 PM

Did you verify that is the process taking up the CPU in top? X does run setuid root to talk directly to the video hardware, but it would usually be the X binary itself -- something running out of /var/run (not a normal place for binaries) looks somewhat suspicious. Have you looked at the file itself and run a rootkit scanner on your machine? What kind of specs does your system have?

mohama · 01-05-2006, 08:06 PM

Quote:

Did you verify that is the process taking up the CPU in top?

yes i did ..!

Quote:

Have you looked at the file itself and run a rootkit scanner on your machine?

what file ??

i use mandriva 2006 .. and i have IBM centrino 1.6 GHz ..!

m-s

btmiller · 01-05-2006, 08:42 PM

I mean the actual executable that is taking up the CPU. When was the executable created? Was it something installed with your system? In general, executable programs don't get put into /var/run so something run there is a bit suspicious. Maybe Mandriva puts some component of the X server into there. It's hard to say what it is. It could be a sign that your system got broken into, but not necessarily -- you just have to investigate it. If possible, download chkrootkit and/or rkhunter to run on your system.

How much memory does your system have? Windowing systems like KDE require a lot of RAM.

mohama · 01-05-2006, 08:47 PM

Quote:

download chkrootkit and/or rkhunter to run on your system.

can you explain what does these do ??

Quote:

How much memory does your system have?

i have 512 MB + 600MB swap ...but the usage of the ram is about 50-60% ...

m-s .

btmiller · 01-05-2006, 09:03 PM

Well, that ought to be enough memory.

Basically, rkhunter and chkrootkit look for signs that your system has been compromised by an attacker. They're not perfect, particularly if any attacker has replaced critical system binaries, but they can help. You sho

In any case, I was re-reading your post and it's probably not a compromise (didn't quite read the full command line, sorry -- long day), but it never hurts to check if you notice strange behavior. It looksmore like a normal X windows process has gone awry. Have you tried simply killing the process in question? It might mess up your X windopws session, but it's worth a try. Have you changed your GUI configuration recently? If all else fails, try restarting the X server and see if the problem persists.

mohama · 01-05-2006, 09:13 PM

i'll try it later ...

Quote:

Have you tried simply killing the process in question?

yes i tried , but it does not die , i tried to kill and to end it from the gnome-system-monitor and it didn't respond to this ..!( thing that drive me mad )

Quote:

Have you changed your GUI configuration recently?

no i didn't ...
i noticed that there have been threads with same subject ... but not realy helpful
thanks alot ,

muhammad-sameer .

jlliagre · 01-06-2006, 01:34 AM

Why is this X server listening on 6016 ?
What launched it ? (pstree)
Have you more than one X server running ?

mohama · 01-06-2006, 06:02 AM

Quote:

Why is this X server listening on 6016 ?

what is 6016 ??

Quote:

What launched it ? (pstree)
Have you more than one X server running ?

it launch automatically ... and i don't think that i have more than one run .. !

m-s

btmiller · 01-06-2006, 11:48 PM

Try using ps to find the PID of the process, and then open up a terminal, become root, and issue the command "kill -9 <PID>" (no quotes). This basically nukes the process completely, and it's generally not a good idea since it doesn't give the process a chance to clean up after itself, but it's quite handy if you're desperate. Have you tried running a rootkit detector like I suggested?

Unfortunately, stuff like this can be hard to debug via a forum. Could you post the results of

Code:

ls -l /etc/X11/X

and

Code:

ps auxw

It might help to see what this executable looks like and what all else is running.

mohama · 01-07-2006, 12:05 AM

Quote:

Could you post the results of
Code:
ls -l /etc/X11/X

this is the result ...
lrwxrwxrwx 1 root root 24 Nov 11 00:15 /etc/X11/X -> ../../usr/X11R6/bin/Xorg*

about the other command it's not good idea to post the result because it's very long ... but i think this is relevant ...

Quote:

mohama 5176 0.0 0.1 2428 832 ? S 04:47 0:00 xsettings-kde

( by the way it's right now working correctly ..! :-o )

Quote:

Try using ps to find the PID of the process, and then open up a terminal, become root, and issue the command "kill -9 <PID>"

i thought about that previously ... but it ( the X ) does not appear by the ps command ..!

another thing about the argument file i mention above ( it's a photo ) sounds strang .. for me too ..! ( it's black )

Quote:

Have you tried running a rootkit detector like I suggested?

sorry , not yet .. i have exercise to finish !!

thanks for the help ..
m-s

btmiller · 01-07-2006, 12:54 AM

No worries ... looks like the file in /etc/X11 is just a symbolic link to the main Xorg binary, so nuking that process will probably bring down your GUI. This pretty much also confirms that it's probably not a security issue, like I was originally thinking. I'm afraid I'm running aq bit low on ideas at this p[oint, but you might want to check your /var/log/Xorg.0.log file to see if X is reporting any hardware or software errors that might cause it to eat a lot of CPU. As I said, X does normally need a good amount of CPU power, but it should not be constantly using 100% of your processor.

Anyhow good luck with it all ... I'll post back if I get any more ideas.

jlliagre · 01-07-2006, 03:26 AM

Quote:

Originally Posted by mohama

what is 6016 ??

This server is passed the option :16, meaning it will listen on the TCP port 6016.
This is unexpected, an X server is normally listening on TCP port 6000.

Quote:

it launch automatically

I understand it is launched automatically, the question is "what launched it ?".

Quote:

... and i don't think that i have more than one run .. !
m-s

Are you just thinking, or are you sure ?
Please use the pstree command to figure it out.

mohama · 01-07-2006, 08:13 AM

Code:

─kdm─┬─X
     └─kdm───startkde─┬─kwrapper
     │                ├─mdkapplet
     │                ├─net_applet
     │                └─startkde───gnome-volume-ma

so i am sure that i have only one ..!
m-s