Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Jan 2017 10:55:26 +0800
From:      Bill Yuan <bycn82@gmail.com>
To:        Warren Block <wblock@wonkity.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: /tmp/swap is causing my CPU busy
Message-ID:  <CAC%2BJH2wBrEz9G0YT7iagQhnDFYXMkoh0cRwySRJSYWbCnY=DGw@mail.gmail.com>
In-Reply-To: <alpine.BSF.2.20.1701091000290.3484@wonkity.com>
References:  <CAC%2BJH2wO6kpKB8DfHMW=Yi081Hi4jU=vnFzuyq54jXPhbqk0YQ@mail.gmail.com> <alpine.BSF.2.20.1701091000290.3484@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
I
=E2=80=8Bt is inside my dev environment, but I want to know what it is.=E2=
=80=8B

On 10 January 2017 at 01:04, Warren Block <wblock@wonkity.com> wrote:

> On Tue, 10 Jan 2017, Bill Yuan wrote:
>
> Hi,
>> Need support here. I just noticed my machine is busy and a process is th=
e
>> root cause, I am not familiar with the memory/SWAP, Can someone please
>> help
>> to take a look? any info is required? please let me know.
>>
>> #top
>> 52 processes:  1 running, 50 sleeping, 1 zombie
>> CPU:  3.5% user,  0.0% nice,  0.6% system,  0.0% interrupt, 95.9% idle
>> Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free
>> Swap: 2100M Total, 2100M Free
>>
>>  PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU
>> COMMAND
>> 25592 root            10  25    0   778M  9272K uwait   3   0:38  19.02%
>> .swap
>> 25599 root             1  20    0  7416K  2596K CPU0    0   0:00   0.11%
>> top
>>
>> #ps -axd | grep swap
>> 25481  0  S+       0:00.00 | |   `-- grep swap
>> 22927  -  Ss     172:10.74 |-- /tmp/.swap
>>
>> #uname -a
>> FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu
>> Sep 29 03:40:55 UTC 2016
>> root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
>> i386
>>
>
> That does not look good to me.  A hidden file named ".swap" that is
> *running*, and as root?  I would immediately disconnect that machine from
> the net and then check to see if that's a compromise, because it sure loo=
ks
> fishy.
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC%2BJH2wBrEz9G0YT7iagQhnDFYXMkoh0cRwySRJSYWbCnY=DGw>