intrusion? find is thrashing my disk every time I boot.
Lowell Gilbert
freebsd-questions-local at be-well.ilk.org
Thu Jun 5 14:38:58 UTC 2008
"Steve Franks" <stevefranks at ieee.org> writes:
> I'm really no security expert. I don't leave the system up 24/7, and
> I'm on a US DSL connection with a bunch of windows boxes.
>
> Seems to be a recent phenomena, I've started experiencing disk
> thrashing I can hear across the room. ps and top report cvslockd has
> been responsible for the thrashing (which usually occurs at a specific
> time of day (~1 am MST)), but now, find is doing the thrashing at boot
> every time (within the last week at least). Needless to say, I
> haven't changed the system in any way during that week. On windows,
> I'd just assume this to be normal behavior, but on FreeBSD, it's got
> me worried...
>
> I presume the security section of the manual has a good into to
> detecting intruders, but first I'm interested if there is a legitimate
> reason for find to be torturing my disk. I don't run much on my
> system - apache, cvs, portsnap, ssh, that's about it.
That's not really so little. I would tend to doubt it's a security
issue, but tracking it down is still a good idea. You should be able
to see what user is running the find, using ps(1), and that might give
a clue to what the purpose is (but probably not; it'll probably turn
out to be root). Once you've tried that, you could use sockstat(1) to
track down what file the find operation is dumping into.
--
Lowell Gilbert, embedded/networking software engineer, Boston area
http://be-well.ilk.org/~lowell/
More information about the freebsd-questions
mailing list