LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 01-05-2006, 06:22 PM   #1
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Rep: Reputation: 31
cpu ......100%......


hey ,

i noticed that some times my cpu usage is 100% , although i do not run any programs except maybe a mozilla browser and amarok mp3 player , the point is that it stuke like that all the time ... when i checked to know what proccess causes this i find that it's the X ...

any body know what does this mean ?? and what is the reason of this ?? and how to solve this problem ... !
thank you all very much ,
muhammad-sameer ,
 
Old 01-05-2006, 06:24 PM   #2
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Original Poster
Rep: Reputation: 31
Unhappy more detail ..

it's the x command it's user is root , it have an argument like this : -
/etc/X11/X -deferglyphs 16:0 -auth /var/run/xauth/A:0-5MZFyZ ...
it take about 175 MB

i have no idea what is this supposed to be ..?!

m-s
 
Old 01-05-2006, 07:50 PM   #3
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Did you verify that is the process taking up the CPU in top? X does run setuid root to talk directly to the video hardware, but it would usually be the X binary itself -- something running out of /var/run (not a normal place for binaries) looks somewhat suspicious. Have you looked at the file itself and run a rootkit scanner on your machine? What kind of specs does your system have?
 
Old 01-05-2006, 08:06 PM   #4
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Original Poster
Rep: Reputation: 31
hi ..

Quote:
Did you verify that is the process taking up the CPU in top?
yes i did ..!
Quote:
Have you looked at the file itself and run a rootkit scanner on your machine?
what file ??

i use mandriva 2006 .. and i have IBM centrino 1.6 GHz ..!

m-s
 
Old 01-05-2006, 08:42 PM   #5
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
I mean the actual executable that is taking up the CPU. When was the executable created? Was it something installed with your system? In general, executable programs don't get put into /var/run so something run there is a bit suspicious. Maybe Mandriva puts some component of the X server into there. It's hard to say what it is. It could be a sign that your system got broken into, but not necessarily -- you just have to investigate it. If possible, download chkrootkit and/or rkhunter to run on your system.

How much memory does your system have? Windowing systems like KDE require a lot of RAM.
 
Old 01-05-2006, 08:47 PM   #6
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Original Poster
Rep: Reputation: 31
replay

Quote:
download chkrootkit and/or rkhunter to run on your system.
can you explain what does these do ??


Quote:
How much memory does your system have?
i have 512 MB + 600MB swap ...but the usage of the ram is about 50-60% ...

m-s .
 
Old 01-05-2006, 09:03 PM   #7
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Well, that ought to be enough memory.

Basically, rkhunter and chkrootkit look for signs that your system has been compromised by an attacker. They're not perfect, particularly if any attacker has replaced critical system binaries, but they can help. You sho

In any case, I was re-reading your post and it's probably not a compromise (didn't quite read the full command line, sorry -- long day), but it never hurts to check if you notice strange behavior. It looksmore like a normal X windows process has gone awry. Have you tried simply killing the process in question? It might mess up your X windopws session, but it's worth a try. Have you changed your GUI configuration recently? If all else fails, try restarting the X server and see if the problem persists.
 
Old 01-05-2006, 09:13 PM   #8
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Original Poster
Rep: Reputation: 31
replay

i'll try it later ...
Quote:
Have you tried simply killing the process in question?
yes i tried , but it does not die , i tried to kill and to end it from the gnome-system-monitor and it didn't respond to this ..!( thing that drive me mad )

Quote:
Have you changed your GUI configuration recently?
no i didn't ...
i noticed that there have been threads with same subject ... but not realy helpful
thanks alot ,

muhammad-sameer .
 
Old 01-06-2006, 01:34 AM   #9
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Ubuntu/WSL
Posts: 9,783

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Why is this X server listening on 6016 ?
What launched it ? (pstree)
Have you more than one X server running ?
 
Old 01-06-2006, 06:02 AM   #10
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Original Poster
Rep: Reputation: 31
...

Quote:
Why is this X server listening on 6016 ?
what is 6016 ??

Quote:
What launched it ? (pstree)
Have you more than one X server running ?
it launch automatically ... and i don't think that i have more than one run .. !

m-s
 
Old 01-06-2006, 11:48 PM   #11
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Try using ps to find the PID of the process, and then open up a terminal, become root, and issue the command "kill -9 <PID>" (no quotes). This basically nukes the process completely, and it's generally not a good idea since it doesn't give the process a chance to clean up after itself, but it's quite handy if you're desperate. Have you tried running a rootkit detector like I suggested?

Unfortunately, stuff like this can be hard to debug via a forum. Could you post the results of

Code:
ls -l /etc/X11/X
and

Code:
ps auxw
It might help to see what this executable looks like and what all else is running.
 
Old 01-07-2006, 12:05 AM   #12
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Original Poster
Rep: Reputation: 31
Quote:
Could you post the results of
Code:
ls -l /etc/X11/X
this is the result ...
lrwxrwxrwx 1 root root 24 Nov 11 00:15 /etc/X11/X -> ../../usr/X11R6/bin/Xorg*



about the other command it's not good idea to post the result because it's very long ... but i think this is relevant ...
Quote:
mohama 5176 0.0 0.1 2428 832 ? S 04:47 0:00 xsettings-kde
( by the way it's right now working correctly ..! :-o )



Quote:
Try using ps to find the PID of the process, and then open up a terminal, become root, and issue the command "kill -9 <PID>"
i thought about that previously ... but it ( the X ) does not appear by the ps command ..!

another thing about the argument file i mention above ( it's a photo ) sounds strang .. for me too ..! ( it's black )

Quote:
Have you tried running a rootkit detector like I suggested?
sorry , not yet .. i have exercise to finish !!

thanks for the help ..
m-s

Last edited by mohama; 01-10-2006 at 07:14 AM.
 
Old 01-07-2006, 12:54 AM   #13
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
No worries ... looks like the file in /etc/X11 is just a symbolic link to the main Xorg binary, so nuking that process will probably bring down your GUI. This pretty much also confirms that it's probably not a security issue, like I was originally thinking. I'm afraid I'm running aq bit low on ideas at this p[oint, but you might want to check your /var/log/Xorg.0.log file to see if X is reporting any hardware or software errors that might cause it to eat a lot of CPU. As I said, X does normally need a good amount of CPU power, but it should not be constantly using 100% of your processor.

Anyhow good luck with it all ... I'll post back if I get any more ideas.
 
Old 01-07-2006, 03:26 AM   #14
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Ubuntu/WSL
Posts: 9,783

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by mohama
what is 6016 ??
This server is passed the option :16, meaning it will listen on the TCP port 6016.
This is unexpected, an X server is normally listening on TCP port 6000.
Quote:
it launch automatically
I understand it is launched automatically, the question is "what launched it ?".
Quote:
... and i don't think that i have more than one run .. !
m-s
Are you just thinking, or are you sure ?
Please use the pstree command to figure it out.
 
Old 01-07-2006, 08:13 AM   #15
mohama
Member
 
Registered: May 2005
Location: solar-system->earth->northern hemisphere
Distribution: ubunutu+knoppix+suse
Posts: 197

Original Poster
Rep: Reputation: 31
Code:
─kdm─┬─X
     └─kdm───startkde─┬─kwrapper
     │                ├─mdkapplet
     │                ├─net_applet
     │                └─startkde───gnome-volume-ma
so i am sure that i have only one ..!
m-s
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
100 % Cpu Volcano Linux - Newbie 27 10-05-2005 10:58 PM
X Using 100% CPU windisch Linux - Software 2 09-29-2005 11:35 AM
cpu nearly always at 100% xround Linux - Hardware 6 09-17-2004 05:51 AM
CPU on 100% very often Satriani Linux - General 25 12-23-2003 03:41 PM
Cpu @ 100% kpzani Linux - General 4 03-20-2003 12:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 07:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration