/tmp/swap is causing my CPU busy
Warren Block
wblock at wonkity.com
Tue Jan 10 04:09:53 UTC 2017
On Tue, 10 Jan 2017, Bill Yuan wrote:
> On 10 January 2017 at 01:04, Warren Block <wblock at wonkity.com> wrote:
> On Tue, 10 Jan 2017, Bill Yuan wrote:
>
> Hi,
> Need support here. I just noticed my machine is busy and a process is the
> root cause, I am not familiar with the memory/SWAP, Can someone please help
> to take a look? any info is required? please let me know.
>
> #top
> 52 processes: 1 running, 50 sleeping, 1 zombie
> CPU: 3.5% user, 0.0% nice, 0.6% system, 0.0% interrupt, 95.9% idle
> Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free
> Swap: 2100M Total, 2100M Free
>
> PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU
> COMMAND
> 25592 root 10 25 0 778M 9272K uwait 3 0:38 19.02%
> .swap
> 25599 root 1 20 0 7416K 2596K CPU0 0 0:00 0.11% top
>
> #ps -axd | grep swap
> 25481 0 S+ 0:00.00 | | `-- grep swap
> 22927 - Ss 172:10.74 |-- /tmp/.swap
>
> #uname -a
> FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu
> Sep 29 03:40:55 UTC 2016
> root at releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
> i386
>
>
> That does not look good to me. A hidden file named ".swap" that is *running*, and as root? I would immediately disconnect that machine from the net and then check to see if that's a compromise, because it sure looks fishy.
> It is inside my dev environment, but I want to know what it is.
It is not a standard file, let's start with that. Again, I would
isolate it until I was very sure it was not a problem.
Do you have some sort of blogging software or exploitable PHP web thing
installed?
Can this questionable file be killed without coming back?
pkill .swap
pgrep .swap
What kind of file is it?
file /tmp/.swap
When was it put there?
ls -lh /tmp/.swap
More information about the freebsd-questions
mailing list