Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
01-05-2006, 06:22 PM
|
#1
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Rep:
|
cpu ......100%......
hey ,
i noticed that some times my cpu usage is 100% , although i do not run any programs except maybe a mozilla browser and amarok mp3 player , the point is that it stuke like that all the time ... when i checked to know what proccess causes this i find that it's the X ...
any body know what does this mean ?? and what is the reason of this ?? and how to solve this problem ... !
thank you all very much ,
muhammad-sameer ,
|
|
|
01-05-2006, 06:24 PM
|
#2
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Original Poster
Rep:
|
more detail ..
it's the x command it's user is root , it have an argument like this : -
/etc/X11/X -deferglyphs 16:0 -auth /var/run/xauth/A:0-5MZFyZ ...
it take about 175 MB
i have no idea what is this supposed to be ..?!
m-s
|
|
|
01-05-2006, 07:50 PM
|
#3
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
Did you verify that is the process taking up the CPU in top? X does run setuid root to talk directly to the video hardware, but it would usually be the X binary itself -- something running out of /var/run (not a normal place for binaries) looks somewhat suspicious. Have you looked at the file itself and run a rootkit scanner on your machine? What kind of specs does your system have?
|
|
|
01-05-2006, 08:06 PM
|
#4
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Original Poster
Rep:
|
hi ..
Quote:
Did you verify that is the process taking up the CPU in top?
|
yes i did ..!
Quote:
Have you looked at the file itself and run a rootkit scanner on your machine?
|
what file ??
i use mandriva 2006 .. and i have IBM centrino 1.6 GHz ..!
m-s
|
|
|
01-05-2006, 08:42 PM
|
#5
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
I mean the actual executable that is taking up the CPU. When was the executable created? Was it something installed with your system? In general, executable programs don't get put into /var/run so something run there is a bit suspicious. Maybe Mandriva puts some component of the X server into there. It's hard to say what it is. It could be a sign that your system got broken into, but not necessarily -- you just have to investigate it. If possible, download chkrootkit and/or rkhunter to run on your system.
How much memory does your system have? Windowing systems like KDE require a lot of RAM.
|
|
|
01-05-2006, 08:47 PM
|
#6
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Original Poster
Rep:
|
replay
Quote:
download chkrootkit and/or rkhunter to run on your system.
|
can you explain what does these do ??
Quote:
How much memory does your system have?
|
i have 512 MB + 600MB swap ...but the usage of the ram is about 50-60% ...
m-s .
|
|
|
01-05-2006, 09:03 PM
|
#7
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
Well, that ought to be enough memory.
Basically, rkhunter and chkrootkit look for signs that your system has been compromised by an attacker. They're not perfect, particularly if any attacker has replaced critical system binaries, but they can help. You sho
In any case, I was re-reading your post and it's probably not a compromise (didn't quite read the full command line, sorry -- long day), but it never hurts to check if you notice strange behavior. It looksmore like a normal X windows process has gone awry. Have you tried simply killing the process in question? It might mess up your X windopws session, but it's worth a try. Have you changed your GUI configuration recently? If all else fails, try restarting the X server and see if the problem persists.
|
|
|
01-05-2006, 09:13 PM
|
#8
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Original Poster
Rep:
|
replay
i'll try it later ...
Quote:
Have you tried simply killing the process in question?
|
yes i tried , but it does not die , i tried to kill and to end it from the gnome-system-monitor and it didn't respond to this ..!( thing that drive me mad )
Quote:
Have you changed your GUI configuration recently?
|
no i didn't ...
i noticed that there have been threads with same subject ... but not realy helpful
thanks alot ,
muhammad-sameer .
|
|
|
01-06-2006, 01:34 AM
|
#9
|
Moderator
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,795
|
Why is this X server listening on 6016 ?
What launched it ? (pstree)
Have you more than one X server running ?
|
|
|
01-06-2006, 06:02 AM
|
#10
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Original Poster
Rep:
|
...
Quote:
Why is this X server listening on 6016 ?
|
what is 6016 ??
Quote:
What launched it ? (pstree)
Have you more than one X server running ?
|
it launch automatically ... and i don't think that i have more than one run .. !
m-s
|
|
|
01-06-2006, 11:48 PM
|
#11
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
Try using ps to find the PID of the process, and then open up a terminal, become root, and issue the command "kill -9 <PID>" (no quotes). This basically nukes the process completely, and it's generally not a good idea since it doesn't give the process a chance to clean up after itself, but it's quite handy if you're desperate. Have you tried running a rootkit detector like I suggested?
Unfortunately, stuff like this can be hard to debug via a forum. Could you post the results of
and
It might help to see what this executable looks like and what all else is running.
|
|
|
01-07-2006, 12:05 AM
|
#12
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Original Poster
Rep:
|
Quote:
Could you post the results of
Code:
ls -l /etc/X11/X
|
this is the result ...
lrwxrwxrwx 1 root root 24 Nov 11 00:15 /etc/X11/X -> ../../usr/X11R6/bin/Xorg*
about the other command it's not good idea to post the result because it's very long ... but i think this is relevant ...
Quote:
mohama 5176 0.0 0.1 2428 832 ? S 04:47 0:00 xsettings-kde
|
( by the way it's right now working correctly ..! :-o )
Quote:
Try using ps to find the PID of the process, and then open up a terminal, become root, and issue the command "kill -9 <PID>"
|
i thought about that previously ... but it ( the X ) does not appear by the ps command ..!
another thing about the argument file i mention above ( it's a photo ) sounds strang .. for me too ..! ( it's black )
Quote:
Have you tried running a rootkit detector like I suggested?
|
sorry , not yet .. i have exercise to finish !!
thanks for the help ..
m-s
Last edited by mohama; 01-10-2006 at 07:14 AM.
|
|
|
01-07-2006, 12:54 AM
|
#13
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
No worries ... looks like the file in /etc/X11 is just a symbolic link to the main Xorg binary, so nuking that process will probably bring down your GUI. This pretty much also confirms that it's probably not a security issue, like I was originally thinking. I'm afraid I'm running aq bit low on ideas at this p[oint, but you might want to check your /var/log/Xorg.0.log file to see if X is reporting any hardware or software errors that might cause it to eat a lot of CPU. As I said, X does normally need a good amount of CPU power, but it should not be constantly using 100% of your processor.
Anyhow good luck with it all ... I'll post back if I get any more ideas.
|
|
|
01-07-2006, 03:26 AM
|
#14
|
Moderator
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,795
|
Quote:
Originally Posted by mohama
what is 6016 ??
|
This server is passed the option :16, meaning it will listen on the TCP port 6016.
This is unexpected, an X server is normally listening on TCP port 6000.
I understand it is launched automatically, the question is "what launched it ?".
Quote:
... and i don't think that i have more than one run .. !
m-s
|
Are you just thinking, or are you sure ?
Please use the pstree command to figure it out.
|
|
|
01-07-2006, 08:13 AM
|
#15
|
Member
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197
Original Poster
Rep:
|
Code:
─kdm─┬─X
└─kdm───startkde─┬─kwrapper
│ ├─mdkapplet
│ ├─net_applet
│ └─startkde───gnome-volume-ma
so i am sure that i have only one ..!
m-s
|
|
|
All times are GMT -5. The time now is 02:08 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|