Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: ber on February 13, 2012, 03:23:34 AM
-
HI SME 7.5 with all updates installed. - Server/gateway mode. Dansguardian installed and running.
Over the last week noticed that our internet was running slow and sluggish. Did more investigation and noticed that the CPU average had increased by 40%- usually its about 7-8%. CPU chassis light was flickering more than it normally does.
I have sme7admin installed and checked the CPU/load/service/RAM resources
ran the top command...
login as: root
root@192.168.0.254's password:
Last login: Mon Feb 13 14:08:53 2012
[root@server ~]# top
top - 14:40:58 up 1:48, 2 users, load average: 2.34, 2.95, 5.24
Tasks: 274 total, 1 running, 273 sleeping, 0 stopped, 0 zombie
Cpu(s): 15.2% us, 4.0% sy, 0.0% ni, 0.0% id, 80.8% wa, 0.0% hi, 0.0% si
Mem: 905368k total, 895836k used, 9532k free, 2840k buffers
Swap: 1835000k total, 962444k used, 872556k free, 16392k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5673 clamav 16 0 18572 5252 932 S 8.3 0.6 0:01.48 dansguardian
8650 root 16 0 1214m 647m 1596 D 5.3 73.3 1:07.23 sme7admind
4735 squid 15 0 21372 5504 1536 S 2.7 0.6 0:17.54 squid
4787 clamav 15 0 18572 6428 932 S 0.7 0.7 0:03.62 dansguardian
10705 root 16 0 3168 980 680 S 0.7 0.1 0:07.03 top
54 root 15 0 0 0 0 S 0.3 0.0 0:27.63 kswapd0
4783 clamav 15 0 18516 7320 948 S 0.3 0.8 0:01.16 dansguardian
4790 clamav 15 0 18588 5900 912 S 0.3 0.7 0:01.59 dansguardian
5670 clamav 15 0 18556 4336 928 S 0.3 0.5 0:01.96 dansguardian
11503 root 17 0 3532 1000 688 R 0.3 0.1 0:03.70 top
1 root 16 0 3244 336 316 S 0.0 0.0 0:00.46 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.01 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.04 events/0
4 root 5 -10 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kthread
6 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
34 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
[root@server ~]#
i noticed an unusual user logged in using the smtpd service and suspected that there maybe a user/hacker that's broken into the system. I have no user registered under that name??
What procedures can i follow to find out:
1. If there is an unknown and unauthorized user.
2. How to block/remove him if possibel.
3. Do i need more security options (IPcop)?
4. how to find out why the CPU usage is so high?
Thanks Regards John
-
I have sme7admin installed ...
I'd suggest you remove it, or at least stop it and disable it. It looks to me that it has a memory leak.
Swap: 1835000k total, 962444k used, 872556k free, 16392k cached
...
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
...
8650 root 16 0 1214m 647m 1596 D 5.3 73.3 1:07.23 sme7admind
You should report this problem with this contrib via the bug tracker.
-
HI Charlie- can you clarify why you think sme7admin is the cause of the memory leak?
I use sme7admin a lot to monitor the server. I have had it installed on the server since new (2 years) without any problems.
It does show a high usage of swap since approximately a week ago. When the internet and server access became sluggish.
I have other contribs installed as well.- awstats/gallery2/ZABBIX (hardly used)/DAR2/.
Also can you clarify in laymans terms what is memory leak (noobie)
-
HI Charlie- can you clarify why you think sme7admin is the cause of the memory leak?
It's using 73% of the system memory, which is already 200% committed (via use of swap). The reason your system is so slow is because it is using so much swap, and the reason it is swapping is because sme7admind is using so much memory.
-
Also can you clarify in laymans terms what is memory leak (noobie)
Seriously?
http://bit.ly/x9Js6f
-
Thank you Charlie :-P- seriously I'm that much of a noobie- I have googled the memory leak, but i like your explanation as it relates to my problem specifically, in most explanations there's always the disclaimer of "it may not necessary be the software that is causing the problem..." anyway - thanks for the link."
update- I have removed the contrib sme7admin and the puppy has settled- Internet and server access is much quicker.
here is the latest top output: (no swap usage)
login as: root
root@192.168.0.254's password:
Last login: Tue Feb 14 08:55:54 2012 from 192.168.0.230
[root@server ~]# top
top - 12:09:32 up 45 min, 1 user, load average: 0.22, 0.07, 0.06
Tasks: 210 total, 1 running, 209 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0% us, 0.3% sy, 0.0% ni, 99.3% id, 0.3% wa, 0.0% hi, 0.0% si
Mem: 905368k total, 850464k used, 54904k free, 38108k buffers
Swap: 1835000k total, 0k used, 1835000k free, 300908k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7454 root 16 0 2992 1084 780 R 0.3 0.1 0:00.35 top
1 root 16 0 3332 620 532 S 0.0 0.1 0:00.45 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.04 events/0
4 root 5 -10 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kthread
6 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
34 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
35 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
52 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
53 root 15 0 0 0 0 S 0.0 0.0 0:00.05 pdflush
54 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
55 root 11 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
199 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
430 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 ata/0
431 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 ata_aux
433 root 15 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
I will attempt to post a bug on this and see what the cause/solution is. Thanks again Charlie. :)
-
ber
I will attempt to post a bug on this and see what the cause/solution is.
I think this is a commonly known issue with sme7admin. Search the forums & bugzilla back 2 or 3 or 4 years when the sme7admin contrib came out or was first being used on sme server.
IIRC a user can be too zealous with settings in sme7admin (eg scan & report frequency or something like that (I don't use it)) and create problems like those you have experienced. If it gets bad enough it can even cause your whole server to lock up.
Here are two examples of forum search result answers, but please search and read for yourself (search for sme7admin) as there are many many more:
http://forums.contribs.org/index.php/topic,37013.msg165290.html#msg165290
http://forums.contribs.org/index.php/topic,44388.msg213497.html#msg213497
-
I think this is a commonly known issue with sme7admin.
So where is the bug report? And the investigation trying to identify and fix the problem?
BTW, ber, please edit the subject of this thread - there is no evidence that your system has been hacked.
-
There are 14 bug reports against that contrib, none of them reporting a memory leak:
http://bugs.contribs.org/buglist.cgi?list_id=6088&resolution=---&query_format=advanced&component=smeserver-sme7admin&product=SME%20Contribs
Unfortunately, there is no sign that the contrib author is investigating and fixing the problems. Perhaps this contrib should be considered abandonware, and somebody else should take over its maintenance.
-
Thank You Charlie- I found this contrib very useful- its a pity its not being maintained. Ive installed system monitor which is an adequate replacement but doesn't provide the full service and PIC/Connections graphics. Thanks