LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-29-2009, 07:29 AM   #1
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
su processes child of pid 1?


Howdy,

I've a box with three identical looking process trees - a bash process is a child of an su - which is the child of init.

These three processes were started on consecutive days about 6 weeks ago and have collectively cause a quiet web server to have a load average of 4. I've not seen these before, but I've not been looking, and suspect that their load is likely to correlate to a point yesterday morning when that same server appeared to start doing 100 DNS requests per second of the same internal hostname.

Why would an su not started on boot (box has 80+ days uptime before these started) be owned directly by init? Would they have been reparented somehow?

I've not got a clue what these are doing and why they are there. The owners are a generic system account for our webapp server and I can see from proc and lsof what their working directories are an such, but past this I can't really find out anything about them, and obviously as they parent back to init so quickly, there's not much else to go on.

Any thoughts appreciated.
 
Old 07-29-2009, 11:34 AM   #2
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,578
Blog Entries: 31

Rep: Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198
Hello acid_kewpie

One way the processes could have been re-parented would be if the su was run via nohup from a terminal that was subsequently closed.

Can you find out what they are doing from
Code:
\ls -l /proc/<PID>/exe
cat /proc/<PID>/cmdline
where <PID> is the process ID for each process under investigation in turn.

If that doesn't give enough you may be able to dump strings from the processes' memory for further clues.

Best

Charles
 
Old 07-29-2009, 12:37 PM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Original Poster
Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
There is nothing in the cmdline, just "su -" for the parent and "-bash" for the child. We have a horrible convention of running "sudo su -" to get root access, so we can't evn see who ran the su, as thanks to sudo, it was root...

nohup sounds like a plausible route to explore, thanks,
 
Old 07-29-2009, 12:57 PM   #4
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,578
Blog Entries: 31

Rep: Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198
Hello Chris

You could check the /var/log/auth.log* files from when they were started, looking for the su records ...

Best

Charles
 
Old 07-29-2009, 02:00 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Original Poster
Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
these are too old now, very start of june they appeared, and our log monitoring infrastructure is just woeful... we'll have the logs on our syslog servers, but I, as the principle Linux Administrator, am not allowed to access the syslog servers for security reasons. Go figure...
 
Old 07-29-2009, 02:22 PM   #6
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,578
Blog Entries: 31

Rep: Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198
Quote:
Originally Posted by acid_kewpie View Post
these are too old now, very start of june they appeared, and our log monitoring infrastructure is just woeful... we'll have the logs on our syslog servers, but I, as the principle Linux Administrator, am not allowed to access the syslog servers for security reasons. Go figure...
Made me chuckle! That's one anal-retentive (and ineffective) security policy!

So there's only an su parent and child bash process? Does that mean the child is running a bash script rather than an executable? If so it will (?) have a copy of the bash script in memory, probably stripped of comments but still legible ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to read in a processes PID thedarkdestroyer Programming 3 05-09-2006 07:48 PM
get the PID of a separate process (no parent-child relationship) arunj Linux - Software 6 02-03-2006 02:50 AM
Predict child PID slackbull Programming 7 07-30-2005 06:11 PM
[notice] child pid 1296 exit signal Segmentation fault (11) Bigtimelost Linux - General 2 04-13-2004 01:38 PM
Apache: child pid XXX exit signal Segmentation fault (11) gabriele_101 Linux - Hardware 1 07-23-2003 07:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration