From owner-freebsd-questions@FreeBSD.ORG Thu Jun 5 14:38:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0254A1065670 for ; Thu, 5 Jun 2008 14:38:58 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from be-well.ilk.org (dsl092-078-145.bos1.dsl.speakeasy.net [66.92.78.145]) by mx1.freebsd.org (Postfix) with ESMTP id BEF2A8FC21 for ; Thu, 5 Jun 2008 14:38:57 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: by be-well.ilk.org (Postfix, from userid 1147) id B81E928491; Thu, 5 Jun 2008 10:38:56 -0400 (EDT) To: stevefranks@ieee.org References: <539c60b90806041125s6b2fc0cbqbba52225d27e4583@mail.gmail.com> From: Lowell Gilbert Date: Thu, 05 Jun 2008 10:38:56 -0400 In-Reply-To: <539c60b90806041125s6b2fc0cbqbba52225d27e4583@mail.gmail.com> (Steve Franks's message of "Wed\, 4 Jun 2008 11\:25\:41 -0700") Message-ID: <447id4rlof.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: FreeBSD Mailing List Subject: Re: intrusion? find is thrashing my disk every time I boot. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: FreeBSD Mailing List List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2008 14:38:58 -0000 "Steve Franks" writes: > I'm really no security expert. I don't leave the system up 24/7, and > I'm on a US DSL connection with a bunch of windows boxes. > > Seems to be a recent phenomena, I've started experiencing disk > thrashing I can hear across the room. ps and top report cvslockd has > been responsible for the thrashing (which usually occurs at a specific > time of day (~1 am MST)), but now, find is doing the thrashing at boot > every time (within the last week at least). Needless to say, I > haven't changed the system in any way during that week. On windows, > I'd just assume this to be normal behavior, but on FreeBSD, it's got > me worried... > > I presume the security section of the manual has a good into to > detecting intruders, but first I'm interested if there is a legitimate > reason for find to be torturing my disk. I don't run much on my > system - apache, cvs, portsnap, ssh, that's about it. That's not really so little. I would tend to doubt it's a security issue, but tracking it down is still a good idea. You should be able to see what user is running the find, using ps(1), and that might give a clue to what the purpose is (but probably not; it'll probably turn out to be root). Once you've tried that, you could use sockstat(1) to track down what file the find operation is dumping into. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/