[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Sun Apr 25 18:33:10 2004 -->
- <!--x-from-r13: qpbeova ng znpughegyr.pbz (Rnivq Qbeova) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] diagnosis -->
- <li><em>date</em>: Sun Apr 25 18:33:10 2004</li>
- <li><em>from</em>: dcorbin at machturtle.com (David Corbin)</li>
- <li><em>in-reply-to</em>: <<a href="msg01071.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00645.html">[email protected]</a>> <<a href="msg01060.html">[email protected]</a>> <<a href="msg01071.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] diagnosis</li>
I'm reasonably sure it's not a trojaned kernel - building a new kernel from
another machine was one of the first tests (though I didn't put it on a CD,
but installed it on the hard drive, I admit...)
> Run memtest and rule out that. Then copy a kernel from a CD distribution
> and set lilo/grub to use that kernel. Then boot to single user, touch
> utmp, reboot back to single user with the same CD kernel and watch the
> top process. If there is still the problem, drop in an other hard drive,
> make it the /var partition, and try again.
>
When you say "memtest", you're referring to the shell-script that does lots of
tarring/untarring?
> If all that fails, get a Geiger counter and start looking for a
> radiation source that can cause bit flips :)
>
> > > On Fri, 2004-04-23 at 17:37, David Corbin wrote:
> > > > I tried it with the "safe" version of top. It shows nothing that
> > > > isn't in my regular top. However, I did try "vmstat" which was
> > > > there. It shows that the free memory is disappear as the "buffers"
> > > > is growing.
> > > >
> > > > Does that help any?
> > > >
> > > > On Monday 19 April 2004 20:35, James P. Kinney III wrote:
> > > > > I put up a page with the binaries and source on it :
> > > > >
> > > > > <a rel="nofollow" href="http://www.localnetsolutions.com/tools/";>http://www.localnetsolutions.com/tools/</a>
> > > > >
> > > > > Note: the procps page on sourceforge did not have an md5 checksum.
> > > > >
> > > > > On Mon, 2004-04-19 at 20:02, David Corbin wrote:
> > > > > > On Monday 19 April 2004 15:01, James P. Kinney III wrote:
> > > > > > > If it is a cracked machine, running a statically linked top
> > > > > > > from a CD will gain access to the real top data. Top is a
> > > > > > > common binary to fiddle with with a root kit.
> > > > > >
> > > > > > Sounds reasonable. Can you point me at such, or if not that,
> > > > > > anybody got any idea where the source to top is and I'll build my
> > > > > > own.
> > > > > >
> > > > > > > It is certainly possible to _add_ a module or _remove_ a
> > > > > > > module, but change out the kernel with out a reboot (unless
> > > > > > > 2-kernel-monte is available, I have not been able to find this
> > > > > > > :( ). So the actual data stream for top is not tamper-able
> > > > > > > easily. Thus a known good statically-linked top would give
> > > > > > > access to the running system and show the _real_ processes that
> > > > > > > are running.
> > > > > > >
> > > > > > > If top shows no malicious files, it's time to take some
> > > > > > > snapshots over time to plot which app is failing.
> > > > > > >
> > > > > > > #!/bin/sh
> > > > > > > echo date >> /tmp/top.txt
> > > > > > > top -b -n 1 -c >> /tmp/top.txt
> > > > > > > echo "###############" >>/tmp/top.txt
> > > > > > > echo >>/tmp/top.txt
> > > > > > > echo >>/tmp/top.txt
> > > > > > >
> > > > > > > Run as a cron every minute for an hour.
> > > > > > >
> > > > > > > If you want, you can now mash/mangle the data into a nice plot
> > > > > > > using some perl and gnplot (or a spreadsheet).
> > > > > > >
> > > > > > > On Mon, 2004-04-19 at 11:56, Geoffrey wrote:
> > > > > > > > Dow Hurst wrote:
> > > > > > > > > How can we find the process that is soaking the memory?
> > > > > > > > > How do you manipulate /proc to find out the originating
> > > > > > > > > process that owns the memory being used? I know IRIX had
> > > > > > > > > tools to look at memory and see which processes owned what
> > > > > > > > > part of memory. Does Linux?
> > > > > > > > >
> > > > > > > > > Seems if you knew what was leaking you would have a major
> > > > > > > > > part of the battle won.
> > > > > > > >
> > > > > > > > I believe we mentioned top, but he noted that doesn't give
> > > > > > > > him anything. That's what concerns me. If it doesn't show,
> > > > > > > > is it being hidden for a reason???
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="01108" href="msg01108.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00645" href="msg00645.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> dcorbin at machturtle.com (David Corbin)</li></ul></li>
<li><strong><a name="01060" href="msg01060.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> dcorbin at machturtle.com (David Corbin)</li></ul></li>
<li><strong><a name="01071" href="msg01071.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg01104.html">[ale] Linux Security</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg01106.html">[ale] Free USB Drive</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg01071.html">[ale] diagnosis</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg01108.html">[ale] diagnosis</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#01105"><strong>Date</strong></a></li>
<li><a href="threads.html#01105"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>