From owner-freebsd-stable  Fri Sep  8  7:40:27 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66])
	by hub.freebsd.org (Postfix) with ESMTP id 82EA337B422
	for <stable@freebsd.org>; Fri,  8 Sep 2000 07:40:23 -0700 (PDT)
Received: (from str@localhost)
	by giganda.komkon.org (8.9.3/8.9.3) id KAA34920
	for stable@freebsd.org; Fri, 8 Sep 2000 10:40:22 -0400 (EDT)
	(envelope-from str)
Date: Fri, 8 Sep 2000 10:40:22 -0400 (EDT)
From: Igor Roshchin <str@giganda.komkon.org>
Message-Id: <200009081440.KAA34920@giganda.komkon.org>
To: stable@freebsd.org
Subject: "high load" on a almost idle system.
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Hello!

I have a host running 4.0-RELEASE
I've noticed that suddenly the load became more than 1,
and it is sustained at that level for long time.
I killed and restarted all processes that could've been producing the load.
Now, I don't see any processes that could be the reason for such a load,
(I am using "top" and "ps"),
nor I see any unaccounted processes in /proc.

host: [10:16] [140] ~#w
10:17AM  up 63 days, 16:16, 1 user, load averages: 1.24, 1.34, 1.16
USER             TTY      FROM              LOGIN@  IDLE WHAT
str              p0       anotherhost 	   Thu09AM     - w

There are just one or two connections to sendmail or/and pop3 server
as shown by netstat, but those are short-term connections.

Q.:
1. Is there any bug in 4.0 that could be responsible for indicating
such relatively high load (in the absense of "active" processes") ?
The ps and systat -vmstat outputs are below.
systat -vmstat does not show much activity.

Also:
2. Although it doesn't look like the host is compromized, but if it
was, how can I check for "hidden" processes (assuming that the kernel
was not changed (if hiding is possible in this case), and otherwise) ?


Thanks,

Igor

PS. Please, Cc: to me your responses.

systat -vmstat output:

    1 users    Load  1.18  1.11  1.09                  Fri Sep  8 10:29

Mem:KB    REAL            VIRTUAL                     VN PAGER  SWAP PAGER
        Tot   Share      Tot    Share    Free         in  out     in  out
Act    4892     992     7012     1144   35560 count
All   90384    1360  2488568     1672         pages
                                                          zfod   Interrupts
Proc:r  p  d  s  w    Csw  Trp  Sys  Int  Sof  Flt        cow     231 total
              6        10    1   26  231    5    1  15804 wire        ata0 irq14
                                                    14792 act         ahc0 irq9
 0.3%Sys   3.0%Intr  0.0%User  0.0%Nice 96.7%Idl    59788 inact     3 xl0 irq11
|    |    |    |    |    |    |    |    |    |            cache       fdc0 irq6
++                                                  35560 free        atkbd0 irq
                                                          daefr       sio0 irq4
Namei         Name-cache    Dir-cache                     prcfr       sio1 irq3
    Calls     hits    %     hits    %                     react   100 clk irq0
                                                          pdwak   128 rtc irq8
                                                          pdpgs
Disks   ad0   da0   da1   fd0 pass0 pass1   md0           intrn
KB/t   0.00  0.00  0.00  0.00  0.00  0.00  0.00      6430 buf
tps       0     0     0     0     0     0     0         9 dirtybuf
MB/s   0.00  0.00  0.00  0.00  0.00  0.00  0.00      8403 desiredvnodes
% busy    0     0     0     0     0     0     0      5483 numvnodes



host: [10:13] [131] ~#ps -ajxww
USER     PID  PPID  PGID   SESS JOBC STAT  TT       TIME COMMAND
root       0     0     0 340a00    0 DLs   ??    0:09.61  (swapper)
root       1     0     1 a18740    0 ILs   ??    0:08.85 /sbin/init --
root       2     0     0 340a00    0 DL    ??    0:22.66  (pagedaemon)
root       3     0     0 340a00    0 DL    ??    0:00.00  (vmdaemon)
root       4     0     0 340a00    0 DL    ??    0:18.40  (bufdaemon)
root       5     0     0 340a00    0 DL    ??   53:58.13  (syncer)
root      33     1    33 a57e40    0 Is    ??    0:00.00 adjkerntz -i
daemon   127     1   127 a75d00    0 Is    ??    0:00.05 /usr/sbin/portmap
root     147     1   147 a75240    0 Ss    ??    6:06.07 inetd -wW
root     149     1   149 a75640    0 Is    ??    1:15.27 cron
root     152     1   152 a75540    0 Is    ??    0:00.01 /usr/sbin/lpd -l
root    2055     1  2055 a874c0    0 Is    ??    0:24.49 /usr/sbin/sshd
root   10158  2055  2055 a874c0    0 S     ??    0:03.94 sshd: str@ttyp0 (sshd)
root   15400     1 15400 c2dd40    0 Ss    ??    4:24.74 sendmail: accepting connections on port 25 (sendmail)
root   19697     1 19697 c2dc80    0 Ss    ??    0:03.57 /usr/sbin/named
root   19715     1 19715 a70040    0 S<s   ??    0:00.18 ntpd -p /var/run/ntpd.pid
root   19723     1 19723 a18340    0 Ss    ??    0:00.46 syslogd -vv
root   20025 15400 15400 c2dd40    0 I     ??    0:00.04 sendmail: server [XXX.XXX.XXX.XX] child wait (sendmail)
root   20026 20025 15400 c2dd40    0 S     ??    0:00.97 sendmail: KAA20026 [XXX.XXX.XXX.XX]: DATA (sendmail)
str    10159 10158 10159 b9ee00    0 Is    p0    0:00.47 -tcsh (tcsh)
root   19800 10159 19800 b9ee00    1 S     p0    0:00.56 _su -m (tcsh)
root   20035 19800 20035 b9ee00    1 R+    p0    0:00.00 ps -ajxww
root     449     1   449 a75ac0    0 Is+   v0    0:00.04 /usr/libexec/getty Pc ttyv0
root     197     1   197 a8eb00    0 Is+   v1    0:00.02 /usr/libexec/getty Pc ttyv1
root     307     1   307 a75b00    0 Is+   v2    0:00.05 /usr/libexec/getty Pc ttyv2
root     199     1   199 a8e700    0 Is+   v3    0:00.02 /usr/libexec/getty Pc ttyv3
root     200     1   200 a8e800    0 Is+   v4    0:00.02 /usr/libexec/getty Pc ttyv4
root     201     1   201 a8ea40    0 Is+   v5    0:00.02 /usr/libexec/getty Pc ttyv5
root     202     1   202 a8e980    0 Is+   v6    0:00.02 /usr/libexec/getty Pc ttyv6
root     203     1   203 a8e8c0    0 Is+   v7    0:00.02 /usr/libexec/getty Pc ttyv7
host: [10:13] [132] ~#ps -auxww
USER     PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
root   20037  0.0  0.2   416  224  p0  R+   10:13AM   0:00.00 ps -auxww
root       1  0.0  0.2   512  204  ??  ILs   6Jul00   0:08.85 /sbin/init --
root       2  0.0  0.0     0    0  ??  DL    6Jul00   0:22.66  (pagedaemon)
root       3  0.0  0.0     0    0  ??  DL    6Jul00   0:00.00  (vmdaemon)
root       4  0.0  0.0     0    0  ??  DL    6Jul00   0:18.40  (bufdaemon)
root       5  0.0  0.0     0    0  ??  DL    6Jul00  53:58.14  (syncer)
root      33  0.0  0.1   208   64  ??  Is    6Jul00   0:00.00 adjkerntz -i
daemon   127  0.0  0.4   892  540  ??  Is    6Jul00   0:00.05 /usr/sbin/portmap
root     147  0.0  0.5  1012  604  ??  Ss    6Jul00   6:06.08 inetd -wW
root     149  0.0  0.5   928  608  ??  Is    6Jul00   1:15.27 cron
root     152  0.0  0.4   888  500  ??  Is    6Jul00   0:00.01 /usr/sbin/lpd -l
root     197  0.0  0.4   892  496  v1  Is+   6Jul00   0:00.02 /usr/libexec/getty Pc ttyv1
root     199  0.0  0.4   892  496  v3  Is+   6Jul00   0:00.02 /usr/libexec/getty Pc ttyv3
root     200  0.0  0.4   892  496  v4  Is+   6Jul00   0:00.02 /usr/libexec/getty Pc ttyv4
root     201  0.0  0.4   892  496  v5  Is+   6Jul00   0:00.02 /usr/libexec/getty Pc ttyv5
root     202  0.0  0.4   892  496  v6  Is+   6Jul00   0:00.02 /usr/libexec/getty Pc ttyv6
root     203  0.0  0.4   892  496  v7  Is+   6Jul00   0:00.02 /usr/libexec/getty Pc ttyv7
root     307  0.0  0.4   896  520  v2  Is+   6Jul00   0:00.05 /usr/libexec/getty Pc ttyv2
root     449  0.0  0.4   896  524  v0  Is+   6Jul00   0:00.04 /usr/libexec/getty Pc ttyv0
root    2055  0.0  0.8  1812 1000  ??  Is    7Jul00   0:24.49 /usr/sbin/sshd
root   15400  0.0  0.9  1396 1104  ??  Ss   10Jul00   4:24.74 sendmail: accepting connections on port 25 (sendmail)
root   10158  0.0  1.0  1876 1232  ??  S    Thu09AM   0:03.97 sshd: str@ttyp0 (sshd)
str    10159  0.0  1.0  1652 1316  p0  Is   Thu09AM   0:00.47 -tcsh (tcsh)
root   19697  0.0  1.8  2752 2232  ??  Ss    9:55AM   0:03.59 /usr/sbin/named
root   19715  0.0  0.6  1220  816  ??  S<s   9:57AM   0:00.18 ntpd -p /var/run/ntpd.pid
root   19723  0.0  0.5   884  592  ??  Ss    9:57AM   0:00.46 syslogd -vv
root   19800  0.0  1.0  1648 1300  p0  S    10:00AM   0:00.57 _su -m (tcsh)
root   20025  0.0  0.9  1452 1184  ??  I    10:12AM   0:00.04 sendmail: server [XXX.XXX.XXX.XX] child wait (sendmail)
root   20026  0.2  1.0  1492 1256  ??  S    10:12AM   0:01.03 sendmail: KAA20026 [XXX.XXX.XXX.XX]: DATA (sendmail)
root       0  0.0  0.0     0    0  ??  DLs   6Jul00   0:09.61  (swapper)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message