I am currently running Mint 18.3 initially installed with KDE, now usually run Xfce and have done so for a while without problems until a recent update. Now the cpu is racing away at an average of about 25%, this is shared over 6 processors. It has nothing running apart from the Xfce gui. Usually this would only average about 0.1 to 2% but it runs at 25% unless I run top which (without me doing anything else) seems to quell the enthusiasm of the offending processes and usage returns to normal, providing I don't shutdown top.

The offending processes have been:
systemd
gvfsd
systemctl

but not all at once, i, e, only one at once. (as reported by top)

Also it will behave itself if I don't login from the splash page but give Ctrl+Alt+F1 login from a terminal and give startx to start Xfce.
This behavior also happens with KDE.

Does anyone know why this is happening?

Have you let it sit, come back, and look at top then?

Yes and all appears well until I shutdown top then cpu usage creeps up to the same level. If I leave the system running without top, for say an hour it will be at about 50% and nothing is running apart from Xfce.

I have to leave top running if I want to keep cpu usage at normal levels.


Thanks for reply,

Fred.

I would be looking very closely for something like a mining malware sneaking around. I'm sure I saw something a while back about one that kept a lookout for things that could monitor it.
Try ps (without top running) and see if anything looks suspect.

Another sneaky trick is to copy top to a different name Then run "chrome"

Thanks for replies, will try your suggestions.

I assume you can change top back to top again afterwards!

I don't suppose you have any idea what I might be looking for as suspicious as I doubt it will show up as "Red Dwarf Mining Corp"?

- you never know, you might get lucky.
Maybe just run ps with and without top running, then diff the lists.

1 members found this post helpful.

I did try diff on the 2 ps versions and it did spit out a lot differences, as you would expect really with different cpu usages at specific times.

I could attach all 3 files if that would help but I think the offending process is hiding behind a legitimate process like systemd, systemctl and ibus-x11, all of which have seen extra activity unexpectedly.

I also ran a clamscan on the whole system but all that came up with was an old "Windows" file that had been on there for ages.

I was thinking of reinstalling with Mint 19 and reintroducing a backup of my data, hopefully that won't reintroduce the problem, any thoughts?


Fred.

Yes, if you can't pinpoint the intruder (if there is one), a clean install sounds like an excellent idea in this case.

I might add that if you're introducing your old data, maybe make the files or directories non executable.

Yes, thanks. It might come to that.

I will check but I think the only executable files are the odd script I have done myself unless, of course, they have been altered.

If I make directories non-executable I will be locked out till I reverse that which would be a bit of a pain.

Or I could try the new timeshift service but I suppose it was not really meant these type of events?

I'm not suggesting making the /bin, & /sbin (/usr/bin, /usr/local, /opt, etc) directories non executable, but the datadirectories. Particularly in your home dir. By default directories get 0755, but in files owned by you in your root drive. That means others can ls the files, but not cd into the directories or execute them.

We still haven't seen any evidence of anything. All (me included) are whistling in the dark.

As for evidence, please see attachment, however, this is s bit of a mess and need explaining:

the first bit is the results of netstat and shows an unsolicited connection (pre-top)


the second the results of lsof with a lot of ibus-x11 activity(pre-top)

the third is lsof and has no ibus-x11 activity (post-top)

the last line is netstat again showing no active connection (post-top)

I don't know what ibus-x11 is and there is no manual page for it but then it is not always this that is associated with high cpu usage.

I've had to edit the file so that it of the permitted size.

Came to the conclusion that even if there was no malware it should not be doing what it was so I reinstalled with Mint 19 and put my data back on.

All seems to be well.

Thanks for the replies and suggestions.