how do i find out who is running tar as nobody using 99.9% of the cpu 1

[farley99]

how do i find out who is running tar as nobody using 99.9% of the cpu?

This has crashed my server 3 times already, it runs for hours at 99.9% and I cant find out whois running it because it runs a nobody

 

[liuwt]

Hi farley99,

is there a account named "nobody" or what? If so, whom does it belong to?

Greetings

Smash your head on keyboard to continue...

 

[RhythmAce]

It may be that /bin/tar got corrupted some how. You may try to replace it or rename it to see what process complains about not finding it. Do your system logs tell you anything?

 

[tarn]

Whats your setup .... are you running NFS (there is a default nobody account for NFS if I remember correctly ... thats why we never setup Apache with nobody as the User ... Do we? ...)

do a netstat -a to see what/who is connected to your ftp port ... look for:
tcp 0 0 yourhost:ftp-data remoteIPortNo ESTABLISHED

Good Luck.
Laurie.

 

[usige]

I would check that it is really tar that is running. You may have a rogue program on your hands.

It is quite easy for a program to change it's name as far as what you see in ps. That makes it easy for a malicious program to avoid detection because it looks like a regular system command. See what files the program has open (lsof is invaluable here). This may give you a clue as to who ran it (i.e. what is the cwd). You can also write a wrapper script for tar that records the command line parms, start time, cwd, terminal, etc that then calls the real tar binary.