[sf-lug] troubleshooting

Rick Moen rick at linuxmafia.com
Thu Apr 3 22:42:59 PDT 2014


Quoting Christian Einfeldt (einfeldt at gmail.com):

> My machine seems to be a little slow.

Well, you know, you _do_ like running GNOME.  You might be amazed at 
what using LXDE, Enlightenment, or just your favourite window manager
with no DE might get you back in performance from your 2GB of RAM and
3GHz Pentium D.  Or you could just buy more RAM; it's cheap.

> I am not sure if I am imagining things.  I ran the system monitor, and
> everything seems to be fine, in terms of system usage etc as shown in
> the systems monitor.

I'm not sure what 'the system monitor' refers to.  This GNOME thing?
https://apps.ubuntu.com/cat/applications/quantal/gnome-system-monitor/
Seems like a GNOME/gtk front-end to /bin/ps.

FYI, by no means does everyone run GNOME, so in the general case Linux
users will not necesarily even know what you're referring to.
The binary gnome-system-monitor simply isn't present on most systems to
begin with.

> When I run top, here is what I get
> 
> top - 10:15:21 up 38 min,  2 users,  load average: 0.51, 0.38, 0.30
> Tasks: 156 total,   1 running, 153 sleeping,   2 stopped,   0 zombie
> Cpu(s):  8.6%us,  1.7%sy,  0.1%ni, 87.5%id,  2.1%wa,  0.0%hi,  0.0%si,
> 0.0%st
> Mem:   2051780k total,  1840156k used,   211624k free,    24248k buffers
> Swap:  2085884k total,    30940k used,  2054944k free,   919488k cached
> 
>   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+
> COMMAND
> 
>  2204 cje       20   0  953m 290m  44m S    6 14.5   2:46.75
> firefox
> 
>   926 root      20   0  139m  15m 6360 S    4  0.8   0:52.22
> Xorg
> 
>  2164 cje       20   0  484m 217m  32m S    2 10.8   0:31.35
> epiphany-browse

Um, I assume that /usr/bin/top reports a whole lot more processes than
that, right?  I mean, hey, you didn't include for example init, which is
process #1 and is the progenitor of all other non-kernel processes.

> I notice that there are 2 users, is that normal?

Well, yes.  Your X11 server (graphics engine) is running as root, you'll
have noticed.

Anyway, typically the most significant RAM column in top's (or ps's)
output is the RES column as /usr/bin/top calls it, or the RSS column as
/bin/ps calls it.  That's the Resident Set Size of that specific instance
of the process.  Here ya go:
http://unix.stackexchange.com/questions/35129/need-explanation-on-resident-set-size-virtual-size


> I am also wondering if maybe an intruder put some files in my /tmp folder.
> Here is the /tmp folder.  These items are directories, not files.  Are
> these normal files?
> 
> cje at killbeast02:/tmp$ ls
> at-spi2         pulse-2L9K88eMlGn7  pulse-PKdhtXMmr18n  unity_support_test.0
> keyring-5CivZl  pulse-dGTWtE1EYTOU  ssh-ubEHRUPJ1571
> cje at killbeast02:/tmp$

At an informed guess, yes.

It would take an extremely clumsy intruder to put working files in /tmp, 
and they'd more typically be in a dotfile directory somewhere obscure.
The intruder's first major task would then be to find a way to escalate
local privilege to root authority, and then install a 'rootkit'
consisting of gimmicked replacements for common administrative utilities
like ps, top, netstat, ls, etc., designed to hide the intruder's files
and processes from the administator's view.





More information about the sf-lug mailing list