Results 1 to 6 of 6

Thread: Abnormal CPU usage + virus report...

  1. #1

    Question Abnormal CPU usage + virus report...

    hi, I have a couple of problems (opensuse11.1):

    1: CPU that runs always very high.

    In the system monitor I have a number of unknown processes from user root,-1 that keep popping up (see yellow highlight in image1). What are they?

    As you may see zombie processes are also coming and going... among which dns-resolver, ifup, ifdown, ifdown-route, netconfig, nis, ntp-config, udved, grep,
    touch....
    Is that normal??

    The system load view in the monitor indicates 2 CPUs with different loads (see image2) when I have only one intelP4.
    What is this?

    At the same time the output of command top seems more regular, except for the high cpu load, although I wouldn't be able to say what every processes is meant for.(image3)

    Has anyone an explanation? Is it normal that most of these zombie processes seem network related?

    2. Virus report from external server

    I usually connect to a server via VPN (to access electronic journals) but recently the access has been denied to me because "my connection is infected with the worm Conficker".
    I know it is very unlikely that a linux pc catches a virus.. so I am puzzeld... I have a dual boot with Windows (probably infected in some ways) but haven't used it for at least a year.. and the guys running the server are a bit slow to answer.
    Can anyone enlighten me please??

    Thanks in advance for all your good suggestions.
    Yves.

  2. #2
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,768

    Default Re: Abnormal CPU usage + virus report...

    Hmmm

    Something definitely odd

    It is normal for modern Intel's to show 2 processors. It is what they call Hyper-threading

    But the rest. Looks like something is running that should not be ie a zombie. It is a process that has crashed and may be consuming CPU

    This night help shed some light

    Killing zombie process

    As to conficker. That is a Windows virus. And in itself can not live in Linux. On the other hand you may have a file on the system that can be infected such as an email. On yet another hand it could be that the server's software is broken. If you want to be sure your files are clean and not accidentally pass on a virus to a more delicate OS you can install clamav

  3. #3

    Default Re: Abnormal CPU usage + virus report...

    thanks,
    The zombie processes just appear and disappear before I can even kill them.
    The link you gave suggest writing a script to kill them automatically, do you have any advice on how to do that?

    As for the processes from user root,-1 there can be up to 10 of them popping out, but they also go before I could kill them...
    I still do not understand what they are...

    As for the virus report, I leave it here for now.
    I have done a scan with clamav but it listed a lot of broken executable and encripted zip also among system files that cannot be infected files, so I am afraid that if I quarantine anything I will just mess up the system even more... (I am a bit inexperienced and usually when I try to solve a problem I always create another one..)

  4. #4
    palladium NNTP User

    Default Re: Abnormal CPU usage + virus report...

    you don't tell us so i have to ask:

    -are these new problems after running ok for a while?

    -if these began immediately after an initial clean/format install did you:

    1. download the install image yourself directly from
    http://software.opensuse.org/ ? or, if not what was the source of your
    install image?

    2. did you md5sum check that iso against the md5sum also available
    from http://software.opensuse.org/ ? was it a 100% perfect match?

    3. if you/did you then burn the image to a disk yourself and then did
    you do this first, before actual install?
    http://tinyurl.com/yajm2aq and, if you did what was the result of
    that test?

    4. have you since the initial install run all security updates and
    patches available via YaST or the Online Updater?

    5. how often, if ever do you log into KDE/Gnome/etc as root to solve
    problems? to browse the net?

    6. your password is it long and strong, without 'words' found in
    dictionaries or easily guessed, does it have both upper and lower case
    letters...and does it have some numbers and symbols? is your root
    password even longer and stronger?

    7. are there any others who have your passwords and access to your
    machine?

    i ask these things because it kinda sounds like (to me) that either
    you have a faulty install or have been rooted..

    however, the server's "my connection is infected with the worm
    Conficker" does not say YOUR machine is infected, but rather the
    *connection* is....and, i wonder if you are (say) in a dorm or company
    or building or wifi where many folks would be going out to the net
    through the same (apparent) single IP and someone else within that
    group *is* sending infecting emails etc which has been detected by the
    firewall/gateway of the electronic journals holder and therefore
    marked the single IP as a source...and, everyone inside the
    building/dorm/local network is therefor suspect?

    --
    palladium

  5. #5

    Default Re: Abnormal CPU usage + virus report...

    Thanks Palladium,

    Pb with cpu usage is solved.
    I went to look at the files in /var/log/ especially /var/log/warn
    and found that the system was trying every few seconds to install a network card but failed, so tried again, and again..
    That wlan card I have on one of the pci slot was not compatible/not recognized by the system at the time I switch from Windows to linux and I just never really bothered with it.
    Now it appears in the hardware list, maybe after some update of the system... ? Anyway I disabled it and things are now fine.

    but to answer some of your questions

    -are these new problems after running ok for a while?
    as I said it might have followed an automatic update..

    4. have you since the initial install run all security updates and patches available via YaST or the Online Updater?
    yep!

    5. how often, if ever do you log into KDE/Gnome/etc as root to solve problems? to browse the net?
    hardly ever.. if never...

    6. your password is it long and strong...
    I think it as strong as it can be.. and not shared with anyone..

    however, the server's "my connection is infected with the worm
    Conficker" does not say YOUR machine is infected, but rather the
    *connection* is....and, i wonder if you are (say) in a dorm or company or building or wifi where many folks would be going out to the net through the same (apparent) single IP and someone else within that group *is* sending infecting emails etc which has been detected by the firewall/gateway of the electronic journals holder and therefore marked the single IP as a source...and, everyone inside the building/dorm/local network is therefor suspect?
    thanks.. well we are 1 mac + 1 linux pc connecting with the same router.. the weird thing is that kvpnc seems able to tunnel to the server but access is systematically denied in the browser (firefox)...
    anyway I will try to contact the server support a n+1 time..

    thanks again!
    y.

  6. #6
    palladium NNTP User

    Default Re: Abnormal CPU usage + virus report...

    ynk1 wrote:
    > thanks again!


    welcome...and i make a mental note to try to always remember to ask if
    the logs have been checked...

    --
    palladium

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •