find process running uncommanded
Hi all,
I keep a little cpu monitor running on my suse 10.1 / KDE desktop, and there is fairly often unexplained cpu usage. At these times, checking the process table shows that the process "find" is running, owner "nobody". As I attempt to look into it, it shuts down. This is generally, but not always, whilst online (dial-up modem). I have the firewall enabled, and never manually altered the default settings, although I have used limewire. It's hard to search for information on this problem because find is such a common word. What to do? Thanks in advance. regards...... andrew. |
The process is almost undoubtedly being run by cron.
As root: Code:
$ crontab -l If it is, you can remove it by: Code:
$ crontab -e |
Thanks for that wildcat 22,
This is what I got: Code:
/home/andrew # crontab -l regards..... andrew. |
Hrm.
That's interesting. To answer the immediate question, sometimes (though maybe it's old fashioned) the OS comes preconfigured with some entries. Now for the more pressing question... Just for completeness sake, might as well check cron for your own user names. Same command. Also, try checking out /var/log/messages and a couple other logs. See if you can correlate the find command to anything being output there. |
Hi Wildcat22,
No crontab for any user name on my system. To check the log files was a good idea. No instance of string "find" in /var/log/messages. I searched from root for all files *log*, containing string "find" then sorted by modify date. Thousands of files, but only one candidate in the last ten days, cups error log, and the context was irrelevant (i.e. it was only like "to find out more...."). I'm both paranoid by nature and the perennial noob. Am I mad to think this is happening due to some hack? When it's running, as soon as I try to investigate it, it stops. Or if I kill the process (as user NOT root), after I get the usual "you don't have permissions" message, five or ten seconds later, this "find" process disappears from the process list. regards..... andrew. |
Well, I don't think it's any "hack" as you put it. I wouldn't worry too much about a breach of security.
I'm at a loss at the moment. I guess I need some more information about it to go any further. If you can get an output of the exact command that's being run, that will be useful. As well as characterize how long it runs for usually, when it runs, etc. Does it only run when you are online? Or have you only been looking for it when you are online? |
hi Wildcat22,
Thanks again for that: Quote:
As far as I know, it generally runs for a decent time, at least for several minutes. Perhaps I've noticed this two or three times a week, for many months now. Generally, I've only watched it for a minute or so, before trying to find out more about what's going on, at which point it always stops. I'll just let it run next time. I've never yet seen it finish by itself, when I've not been intervening somehow. It isn't exclusively when online. But, I have no recollection of this happening before I'd installed and used limewire. Shortly after installing that, I found a bunch of (unknown) IPs listed in my xauthorities, which really did not belong. I had a look at the firewall settings then, and saw that limewire makes changes. I'd been thinking this is leftover from that episode. regards.... andrew. |
I had forgotten about the limewire bit.
I suppose it quite possibly could be from that. When it's running, just save the output of whatever command you are using to see that it is running. Code:
$ ps aux > afile |
Quote:
Quote:
There's one crontab not mentioned in this thread and thats the systems one: /etc/crontab. To check the directories mentioned in /etc/crontab for jobs containing the word "find" do 'find /etc -type d -name \*cron\* | xargs grep find -r' |
Thanks to you both,
Quote:
Code:
#destination cron { file("/var/log/cron"); }; However there is an /etc/crontab, and the command above gives: Code:
# find /etc -type d -name \*cron\* | xargs grep find -r Plenty of find-ing there, and given the talk about avoiding error messages when using user nobody for find, I suppose this is now resolved: there is nothing untoward going on. Thanks very much for your help. If you still feel generous, can you let me know if I was right those many months ago to be concerned about finding seven IP addresses in my xauthorities? At the time, I just removed the entries that didn't belong. What should I have done? Or is that also normal? regards..... andrew. |
All times are GMT -5. The time now is 04:16 AM. |