Re: [SLUG] slowdown

From: Eben King (eben01@verizon.net)
Date: Wed Feb 13 2008 - 19:26:49 EST


On Wed, 13 Feb 2008, ronan wrote:

>> open("/usr/lib/X11/locale/common/ximcp.so.2", O_RDONLY) = 5
>> open("/usr/share/X11/locale/compose.dir", O_RDONLY) = 5
>> open("/usr/share/X11/locale/iso8859-1/Compose", O_RDONLY) = 5
>> open("/lib/terminfo/x/xterm", O_RDONLY|O_LARGEFILE) = 5
>>
>> Are there other operations which can give a file descriptor?
> Other system calls that can allocate a file descriptor: socket, mmap,
> pipe-something-or-other?

eben@pc:~$ strace xterm -e bash -c exit 2>&1 | grep '= 7$'
eben@pc:~$ strace xterm -e bash -c exit 2>&1 | grep '= 6$'
eben@pc:~$ strace xterm -e bash -c exit 2>&1 | grep '= 5$'
open("/usr/lib/X11/locale/common/ximcp.so.2", O_RDONLY) = 5
open("/usr/share/X11/locale/compose.dir", O_RDONLY) = 5
open("/usr/share/X11/locale/iso8859-1/Compose", O_RDONLY) = 5
open("/lib/terminfo/x/xterm", O_RDONLY|O_LARGEFILE) = 5
open("/var/run/utmp", O_RDONLY) = 5

Can it be that _nothing_ returns a result of 6 or 7? Or am I looking for
the wrong thing?

>>> The rootkit is an interesting possibility.
>>
>> Pretty poor rootkit if it doesn't use the CPU and doesn't open connections:
>>
>> root@pc:~# netstat -A inet -ap | grep -v WAIT
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
>> tcp 0 0 *:xtelw *:* LISTEN 5129/festival
> ...

> Don't forget that much of the point to a rootkit is that the tools that you
> would use to diagnose your system have been altered to help hide to rootkit.
> There might be processes and connections that your tools aren't showing you.

Hmm. What can I use to find out if there's something untoward going on? I
can wait until the network _should_ be idle, kill all daemons netstat lists,
and then see what the router says is happening.

-- 
-eben      QebWenE01R@vTerYizUonI.nOetP      http://royalty.mine.nu:81
AQUARIUS:  There's travel in your future when your tongue freezes to the
back of a speeding bus.  Fill the void in your pathetic life by playing
Whack-a-Mole 17 hours a day.  -- Weird Al, _Your Horoscope for Today_
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:01:14 EDT