Abnormal CPU usage + virus report...

hi, I have a couple of problems (opensuse11.1):

**1: CPU that runs always very high. **

In the system monitor I have a number of unknown processes from user root,-1 that keep popping up (see yellow highlight in image1). What are they?
http://picasaweb.google.com/lh/photo/OYv_LvndSy-uFEc6Zoe01g?feat=directlink
As you may see zombie processes are also coming and going… among which dns-resolver, ifup, ifdown, ifdown-route, netconfig, nis, ntp-config, udved, grep,
touch… Is that normal??

The system load view in the monitor indicates 2 CPUs with different loads (see image2) when I have only one intelP4.
What is this?
http://picasaweb.google.com/lh/photo/xbnC6GaurHVvAMi0mu7NyA?feat=directlink
At the same time the output of command top seems more regular, except for the high cpu load, although I wouldn’t be able to say what every processes is meant for.(image3)
http://picasaweb.google.com/lh/photo/cgLgZ9i5-BRia5naHaypdA?feat=directlink
Has anyone an explanation? Is it normal that most of these zombie processes seem network related?

2. Virus report from external server

I usually connect to a server via VPN (to access electronic journals) but recently the access has been denied to me because “my connection is infected with the worm Conficker”.
I know it is very unlikely that a linux pc catches a virus… so I am puzzeld… I have a dual boot with Windows (probably infected in some ways) but haven’t used it for at least a year… and the guys running the server are a bit slow to answer.
Can anyone enlighten me please??

Thanks in advance for all your good suggestions.
Yves.

Hmmm

Something definitely odd

It is normal for modern Intel’s to show 2 processors. It is what they call Hyper-threading

But the rest. Looks like something is running that should not be ie a zombie. It is a process that has crashed and may be consuming CPU

This night help shed some light

Killing zombie process

As to conficker. That is a Windows virus. And in itself can not live in Linux. On the other hand you may have a file on the system that can be infected such as an email. On yet another hand it could be that the server’s software is broken. If you want to be sure your files are clean and not accidentally pass on a virus to a more delicate OS you can install clamav

thanks,
The zombie processes just appear and disappear before I can even kill them.
The link you gave suggest writing a script to kill them automatically, do you have any advice on how to do that?

As for the processes from user root,-1 there can be up to 10 of them popping out, but they also go before I could kill them…
I still do not understand what they are…

As for the virus report, I leave it here for now.
I have done a scan with clamav but it listed a lot of broken executable and encripted zip also among system files that cannot be infected files, so I am afraid that if I quarantine anything I will just mess up the system even more… (I am a bit inexperienced and usually when I try to solve a problem I always create another one…)

you don’t tell us so i have to ask:

-are these new problems after running ok for a while?

-if these began immediately after an initial clean/format install did you:

  1. download the install image yourself directly from
    http://software.opensuse.org/ ? or, if not what was the source of your
    install image?

  2. did you md5sum check that iso against the md5sum also available
    from http://software.opensuse.org/ ? was it a 100% perfect match?

  3. if you/did you then burn the image to a disk yourself and then did
    you do this first, before actual install?
    http://tinyurl.com/yajm2aq and, if you did what was the result of
    that test?

  4. have you since the initial install run all security updates and
    patches available via YaST or the Online Updater?

  5. how often, if ever do you log into KDE/Gnome/etc as root to solve
    problems? to browse the net?

  6. your password is it long and strong, without ‘words’ found in
    dictionaries or easily guessed, does it have both upper and lower case
    letters…and does it have some numbers and symbols? is your root
    password even longer and stronger?

  7. are there any others who have your passwords and access to your
    machine?

i ask these things because it kinda sounds like (to me) that either
you have a faulty install or have been rooted…

however, the server’s “my connection is infected with the worm
Conficker” does not say YOUR machine is infected, but rather the
connection is…and, i wonder if you are (say) in a dorm or company
or building or wifi where many folks would be going out to the net
through the same (apparent) single IP and someone else within that
group is sending infecting emails etc which has been detected by the
firewall/gateway of the electronic journals holder and therefore
marked the single IP as a source…and, everyone inside the
building/dorm/local network is therefor suspect?


palladium

Thanks Palladium,

Pb with cpu usage is solved.
I went to look at the files in /var/log/ especially /var/log/warn
and found that the system was trying every few seconds to install a network card but failed, so tried again, and again…
That wlan card I have on one of the pci slot was not compatible/not recognized by the system at the time I switch from Windows to linux and I just never really bothered with it.
Now it appears in the hardware list, maybe after some update of the system… ? Anyway I disabled it and things are now fine.

but to answer some of your questions

-are these new problems after running ok for a while?

as I said it might have followed an automatic update…

  1. have you since the initial install run all security updates and patches available via YaST or the Online Updater?

yep!

  1. how often, if ever do you log into KDE/Gnome/etc as root to solve problems? to browse the net?

hardly ever… if never…

  1. your password is it long and strong…

I think it as strong as it can be… and not shared with anyone…

however, the server’s “my connection is infected with the worm
Conficker” does not say YOUR machine is infected, but rather the
connection is…and, i wonder if you are (say) in a dorm or company or building or wifi where many folks would be going out to the net through the same (apparent) single IP and someone else within that group is sending infecting emails etc which has been detected by the firewall/gateway of the electronic journals holder and therefore marked the single IP as a source…and, everyone inside the building/dorm/local network is therefor suspect?

thanks… well we are 1 mac + 1 linux pc connecting with the same router… the weird thing is that kvpnc seems able to tunnel to the server but access is systematically denied in the browser (firefox)…
anyway I will try to contact the server support a n+1 time…

thanks again!
y.

ynk1 wrote:
> thanks again!

welcome…and i make a mental note to try to always remember to ask if
the logs have been checked…


palladium