[sf-lug] troubleshooting

Christian Einfeldt einfeldt at gmail.com
Sat Apr 5 09:48:40 PDT 2014 

Thanks again to everyone who repied!


On Thu, Apr 3, 2014 at 10:42 PM, Rick Moen <rick at linuxmafia.com> wrote:

> Quoting Christian Einfeldt (einfeldt at gmail.com):
>
> > My machine seems to be a little slow.
>
> Well, you know, you _do_ like running GNOME.  You might be amazed at
> what using LXDE, Enlightenment, or just your favourite window manager
> with no DE might get you back in performance from your 2GB of RAM and
> 3GHz Pentium D.  Or you could just buy more RAM; it's cheap.
>
> > I am not sure if I am imagining things.  I ran the system monitor, and
> > everything seems to be fine, in terms of system usage etc as shown in
> > the systems monitor.
>
> I'm not sure what 'the system monitor' refers to.  This GNOME thing?
> https://apps.ubuntu.com/cat/applications/quantal/gnome-system-monitor/
> Seems like a GNOME/gtk front-end to /bin/ps.
>
> FYI, by no means does everyone run GNOME, so in the general case Linux
> users will not necesarily even know what you're referring to.
> The binary gnome-system-monitor simply isn't present on most systems to
> begin with.
>
> > When I run top, here is what I get
> >
> > top - 10:15:21 up 38 min,  2 users,  load average: 0.51, 0.38, 0.30
> > Tasks: 156 total,   1 running, 153 sleeping,   2 stopped,   0 zombie
> > Cpu(s):  8.6%us,  1.7%sy,  0.1%ni, 87.5%id,  2.1%wa,  0.0%hi,  0.0%si,
> > 0.0%st
> > Mem:   2051780k total,  1840156k used,   211624k free,    24248k buffers
> > Swap:  2085884k total,    30940k used,  2054944k free,   919488k cached
> >
> >   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+
> > COMMAND
> >
> >  2204 cje       20   0  953m 290m  44m S    6 14.5   2:46.75
> > firefox
> >
> >   926 root      20   0  139m  15m 6360 S    4  0.8   0:52.22
> > Xorg
> >
> >  2164 cje       20   0  484m 217m  32m S    2 10.8   0:31.35
> > epiphany-browse
>
> Um, I assume that /usr/bin/top reports a whole lot more processes than
> that, right?  I mean, hey, you didn't include for example init, which is
> process #1 and is the progenitor of all other non-kernel processes.
>
> > I notice that there are 2 users, is that normal?
>
> Well, yes.  Your X11 server (graphics engine) is running as root, you'll
> have noticed.
>
> Anyway, typically the most significant RAM column in top's (or ps's)
> output is the RES column as /usr/bin/top calls it, or the RSS column as
> /bin/ps calls it.  That's the Resident Set Size of that specific instance
> of the process.  Here ya go:
>
> http://unix.stackexchange.com/questions/35129/need-explanation-on-resident-set-size-virtual-size
>
>
> > I am also wondering if maybe an intruder put some files in my /tmp
> folder.
> > Here is the /tmp folder.  These items are directories, not files.  Are
> > these normal files?
> >
> > cje at killbeast02:/tmp$ ls
> > at-spi2         pulse-2L9K88eMlGn7  pulse-PKdhtXMmr18n
>  unity_support_test.0
> > keyring-5CivZl  pulse-dGTWtE1EYTOU  ssh-ubEHRUPJ1571
> > cje at killbeast02:/tmp$
>
> At an informed guess, yes.
>
> It would take an extremely clumsy intruder to put working files in /tmp,
> and they'd more typically be in a dotfile directory somewhere obscure.
> The intruder's first major task would then be to find a way to escalate
> local privilege to root authority, and then install a 'rootkit'
> consisting of gimmicked replacements for common administrative utilities
> like ps, top, netstat, ls, etc., designed to hide the intruder's files
> and processes from the administator's view.
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
>



-- 
Christian Einfeldt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20140405/1f65c344/attachment.html>

More information about the sf-lug mailing list