Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I keep a little cpu monitor running on my suse 10.1 / KDE desktop, and there is fairly often unexplained cpu usage. At these times, checking the process table shows that the process "find" is running, owner "nobody".
As I attempt to look into it, it shuts down.
This is generally, but not always, whilst online (dial-up modem).
I have the firewall enabled, and never manually altered the default settings, although I have used limewire.
It's hard to search for information on this problem because find is such a common word. What to do?
I looked up man page for cron and the crontab command syntax. I've never established any scheduled tasks myself, and I'm still not exactly clear if the system would be setting that up by itself?
To check the log files was a good idea. No instance of string "find" in /var/log/messages. I searched from root for all files *log*, containing string "find" then sorted by modify date. Thousands of files, but only one candidate in the last ten days, cups error log, and the context was irrelevant (i.e. it was only like "to find out more....").
I'm both paranoid by nature and the perennial noob. Am I mad to think this is happening due to some hack? When it's running, as soon as I try to investigate it, it stops. Or if I kill the process (as user NOT root), after I get the usual "you don't have permissions" message, five or ten seconds later, this "find" process disappears from the process list.
Well, I don't think it's any "hack" as you put it. I wouldn't worry too much about a breach of security.
I'm at a loss at the moment. I guess I need some more information about it to go any further. If you can get an output of the exact command that's being run, that will be useful. As well as characterize how long it runs for usually, when it runs, etc. Does it only run when you are online? Or have you only been looking for it when you are online?
If you can get an output of the exact command that's being run, that will be useful. As well as characterize how long it runs for usually, when it runs, etc. Does it only run when you are online? Or have you only been looking for it when you are online?
How can I get the exact command, is there a record of all such commands anywhere?
As far as I know, it generally runs for a decent time, at least for several minutes. Perhaps I've noticed this two or three times a week, for many months now. Generally, I've only watched it for a minute or so, before trying to find out more about what's going on, at which point it always stops.
I'll just let it run next time. I've never yet seen it finish by itself, when I've not been intervening somehow.
It isn't exclusively when online. But, I have no recollection of this happening before I'd installed and used limewire. Shortly after installing that, I found a bunch of (unknown) IPs listed in my xauthorities, which really did not belong. I had a look at the firewall settings then, and saw that limewire makes changes. I'd been thinking this is leftover from that episode.
Well, I don't think it's any "hack" as you put it. I wouldn't worry too much about a breach of security.
One thing I learnt from handling (perceived) incidents is that while it's a nice remark to ease a (potential) victims it would be better not to say it. Until you back it by proof it's just an assumption, an opinion, you see.
Quote:
Originally Posted by aal
How can I get the exact command, is there a record of all such commands anywhere?
Logging of (the filenames of) cronjobs goes to whatever syslogd is configured to log to ('grep cron /etc/syslog.conf').
There's one crontab not mentioned in this thread and thats the systems one: /etc/crontab.
To check the directories mentioned in /etc/crontab for jobs containing the word "find" do 'find /etc -type d -name \*cron\* | xargs grep find -r'
Logging of (the filenames of) cronjobs goes to whatever syslogd is configured to log to ('grep cron /etc/syslog.conf').
There's one crontab not mentioned in this thread and thats the systems one: /etc/crontab.
To check the directories mentioned in /etc/crontab for jobs containing the word "find" do 'find /etc -type d -name \*cron\* | xargs grep find -r'
There is no syslog.conf file on my system, but there is a file /etc/syslog-ng.conf, which I assume ot be the same thing. It contains this line:
Code:
#destination cron { file("/var/log/cron"); };
So it appears the cron stuff should be kept in /var/log/cron? But this file does not exist.
However there is an /etc/crontab, and the command above gives:
Code:
# find /etc -type d -name \*cron\* | xargs grep find -r
/etc/cron.daily/suse.de-clean-core: for DUMMY in `find /var/lib/locatedb -mtime -7 2> /dev/null` ; do
/etc/cron.daily/suse.de-clean-core: for i in `find "$COREFILE" ! \( -fstype nfs -o -fstype NFS \) \
/etc/cron.daily/suse.de-backup-rc.config: NEW_MD5="`find $ETC_RCCONFIG /etc/sysconfig -type f | xargs cat | md5sum`"
/etc/cron.daily/suse-tetex: test -d $p/pk/ && find $p/pk/ -type f -and -atime +20 -print0
/etc/cron.daily/suse-tetex: test -d $p/tfm/ && find $p/tfm/ -type f -and -atime +60 -print0
/etc/cron.daily/suse-clean_catman: find /var/cache/man -name '*.gz' -type f -atime +$CATMAN_ATIME -print0 | \
/etc/cron.daily/suse.de-updatedb: # avoid error messages from updatedb when using user nobody for find.
/etc/cron.daily/suse.de-clean-tmp: find $DIR/. $OMIT ! -type d ! -type s ! -type p \
/etc/cron.daily/suse.de-clean-tmp: } || echo "Error: Can not find /usr/bin/safe-rm"
/etc/cron.daily/suse.de-clean-tmp: find $DIR/. -depth -mindepth 1 $OMIT -type d -empty \
Plenty of find-ing there, and given the talk about avoiding error messages when using user nobody for find, I suppose this is now resolved: there is nothing untoward going on.
Thanks very much for your help. If you still feel generous, can you let me know if I was right those many months ago to be concerned about finding seven IP addresses in my xauthorities?
At the time, I just removed the entries that didn't belong. What should I have done? Or is that also normal?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.