From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 19 16:49:22 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3C0641065673
	for <freebsd-questions@freebsd.org>;
	Wed, 19 Nov 2008 16:49:22 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from QMTA09.westchester.pa.mail.comcast.net
	(qmta09.westchester.pa.mail.comcast.net [76.96.62.96])
	by mx1.freebsd.org (Postfix) with ESMTP id B8D4C8FC13
	for <freebsd-questions@freebsd.org>;
	Wed, 19 Nov 2008 16:49:21 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from OMTA08.westchester.pa.mail.comcast.net ([76.96.62.12])
	by QMTA09.westchester.pa.mail.comcast.net with comcast
	id h4jH1a00C0Fqzac594pLDU; Wed, 19 Nov 2008 16:49:20 +0000
Received: from koitsu.dyndns.org ([69.181.141.110])
	by OMTA08.westchester.pa.mail.comcast.net with comcast
	id h4pK1a00T2P6wsM3U4pLxg; Wed, 19 Nov 2008 16:49:20 +0000
X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=nUWFrsIjwAvMPZXG4KkA:9
	a=iVujKo7s1Hs0pKNqQ40A:7 a=6CNkMaRjhliH3ni0Bczjk7rphJ4A:4
	a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10
Received: by icarus.home.lan (Postfix, from userid 1000)
	id 5D18133C1C; Wed, 19 Nov 2008 08:49:19 -0800 (PST)
Date: Wed, 19 Nov 2008 08:49:19 -0800
From: Jeremy Chadwick <koitsu@FreeBSD.org>
To: John Almberg <jalmberg@identry.com>
Message-ID: <20081119164919.GA2347@icarus.home.lan>
References: <BFDB04F6-6032-4CBE-859A-CB2BEE3A4C4E@identry.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BFDB04F6-6032-4CBE-859A-CB2BEE3A4C4E@identry.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: freebsd-questions@freebsd.org
Subject: Re: snmpd strangeness
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2008 16:49:22 -0000

On Wed, Nov 19, 2008 at 10:57:50AM -0500, John Almberg wrote:
> I just noticed something odd and am looking for ideas...
>
> As you can see from the top snippet below, snmpd is getting hammered by 
> something. As a comparison, the load averages for this quad-core  box are 
> usually close to zero.
>
> I'm not even sure I'm using snmpd for anything... not even sure what it 
> is, precisely.
>
> I'm digging into docs at the moment, but any ideas much appreciated.

I'm greatly concerned by the fact that you have a process on your
machine taking up 103% CPU time (possible on a quad-core machine),
taking up 2621MBytes of memory (RSS), yet you have no idea what it is,
what SNMP is, or why said process is running on your machine.  :-)

You can truss the pid to find out what it's doing, but based on the
above I'm not sure the truss output will be of much use to you.

I would recommend finding out who/what started it by looking at the ppid
of the process (ps -alx | grep 45136, then look at the 3rd column which
is the ppid; then do ps -alx | grep {ppid}).  It's very possible the
ppid will be 1, which is init, which means in this case it was probably
started by a script in /usr/local/etc/rc.d.

I would then recommend using gcore on the snmpd pid, which will write
out a very large file (~2.6GB) to $PWD.  You can then examine that
later.

I would then recommend killing it off, then go on a quest to find out
why net-snmpd is on your machine -- and equally as odd, why it's
running.  For this to start, something has to be in /etc/rc.conf to
initialise it.

There's also the possibility that the process running isn't snmpd at
all, but rather a binary of a hacker who has gained access to your box,
especially given that you have no idea what it is.

> last pid: 38974;  load averages:  1.24,  1.40,  1.58
> 342 processes: 6 running, 336 sleeping
> CPU states: 13.7% user,  0.0% nice, 13.9% system,  0.3% interrupt, 72.1% 
> idle
> Mem: 5997M Active, 596M Inact, 420M Wired, 206M Cache, 214M Buf, 457M  
> Free
> Swap: 16G Total, 123M Used, 16G Free
>
>   PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU  
> COMMAND
> 45136 root        1 104    0  2636M  2621M CPU5   4 254.1H 103.91% snmpd
> 37368 www         1  20    0   193M 46232K lockf  6   0:05  3.91% httpd
> 38819 identry     1 -32    0  7688K  2648K CPU0   0   0:02  1.61% top

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |