HPE Community
Operating System - HP-UX
1824974 Members
4425 Online
109678 Solutions
New Discussion юеВ

rogue .sh processes

 
SOLVED
Go to solution
bobstar
Frequent Advisor

тАО03-19-2007 10:17 PM

тАО03-19-2007 10:17 PM

rogue .sh processes

hi ,

i am seeing a couple of .sh processes hogging up cpu (using top) - how do i find out whats these are for ?

note, this is not normal behaviour for this node

tia
0 Kudos
10 REPLIES 10
Dennis Handly
Acclaimed Contributor

тАО03-19-2007 10:21 PM

тАО03-19-2007 10:21 PM

Re: rogue .sh processes

What does top and ps show?
$ UNIX95= ps -xHfp PID ...
0 Kudos
Steven E. Protter
Exalted Contributor

тАО03-19-2007 10:52 PM

тАО03-19-2007 10:52 PM

Re: rogue .sh processes

Shalom,

Someone or something(cron, an application) is launching processes.

The top output or ps -ef | grep ... should provide you enough information to look at the script and see where it sits and what its trying to do.

This is one of those investigative questions, you have to look at the source and try and figure out who, and why this is happening.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
bobstar
Frequent Advisor

тАО03-19-2007 10:54 PM

тАО03-19-2007 10:54 PM

Re: rogue .sh processes

top shows this , what is odd is the pts, none of my other process are like this

0 pts/1 5838 user 237 20 2012K 172K run 9306:38 49.93 49.85 sh
0 pts/0 20200 user 237 20 2012K 160K run 13193:11 46.83 46.75 sh

ps shows this ;

$ps -xfp PID 5838
ps: wrong PID number PID
UID PID PPID C STIME TTY TIME COMMAND

0 Kudos
bobstar
Frequent Advisor

тАО03-19-2007 10:56 PM

тАО03-19-2007 10:56 PM

Re: rogue .sh processes

hi

ps -ef | grep just comes back with what top shows

is there a way to interigate the PID to see exactly (if anything) whats running it ?
0 Kudos
bobstar
Frequent Advisor

тАО03-19-2007 11:28 PM

тАО03-19-2007 11:28 PM

Re: rogue .sh processes

any advise ?

here is some more info ;


$/usr/local/bin/lsof|grep 5838

sh 5838 user txt REG 64,0x8 204800 10161 /usr/bin/rsh
sh 5838 user mem REG 64,0x8 24576 4972 /usr/lib/libdld.2
sh 5838 user mem REG 64,0x8 1822720 5203 /usr/lib/libc.2
sh 5838 user mem REG 64,0x8 155648 118 /usr/lib/dld.sl
sh 5838 user 0u STR 157,0x1 0t5816 939 /dev/pts/1->ldterm->ptem->pts
sh 5838 user 1u STR 157,0x1 0t5816 939 /dev/pts/1->ldterm->ptem->pts
sh 5838 user 2u STR 157,0x1 0t5816 939 /dev/pts/1->ldterm->ptem->pts
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО03-19-2007 11:41 PM

тАО03-19-2007 11:41 PM

Re: rogue .sh processes

These are not .sh processes, these are shell
(sh) processes. Is there a child?

>is there a way to interrogate the PID to see exactly (if anything) whats running it

Dump all of "user"'s processes:
$ UNIX95= ps -xHfu user

If you're root, you can attach gdb and get a stack trace. Or use tusc and see what it is doing.

>$ps -xfp PID 5838

The idea was to replace PID by 5838. Followed by -p PID2 -p PID3 ...

And you need that UNIX95= before the ps.
0 Kudos
bobstar
Frequent Advisor

тАО03-19-2007 11:56 PM

тАО03-19-2007 11:56 PM

Re: rogue .sh processes

thanks dennis

but neither of the commands give me much more than what i already have - PID PPID

whats the signifisance of the 255 ?


$UNIX95= ps -xHfp 5838
UID PID PPID C STIME TTY TIME CMD
user 5838 1 255 Mar 6 pts/1 6-11:33:14 -sh
0 Kudos
Patrick Wallek
Honored Contributor

тАО03-20-2007 01:21 AM

тАО03-20-2007 01:21 AM

Solution

Re: rogue .sh processes

Your lsof shows that these appear to be restricted shell (/usr/bin/rsh) processes that logged in from somewhere.

Do you have any terminals anywhere?

What if you do a 'last -R user', where 'user' is the user that is logged in? If it were a remote login then it would show the host/IP of the source of the login.
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО03-20-2007 11:55 AM

тАО03-20-2007 11:55 AM

Re: rogue .sh processes

>but neither of the commands give me much more than what i already have

If you used the -xHfu user, you would see the whole process tree. But since the PPID is 1, that wouldn't help much. It would help to see if that sh process had a child:
$ UNIX95= ps -xHfu user | fgrep 5838

>whats the significance of the 255?

cpu Processor utilization for scheduling. The default heading for this column is C.

This says you have the lowest (worst) priority since you are in a loop.

$UNIX95= ps -xHfp 5838
UID PID PPID C STIME TTY TIME CMD
user 5838 1 255 Mar 6 pts/1 6-11:33:14 -sh

This says your parent (remshd?) has died. You should just kill the process because it isn't acting correctly when it got a SIGHUP?? I've seen this happen for some scripts when it gets disconnected.

>Patrick: Your lsof shows that these appear to be restricted shell (/usr/bin/rsh)

These are not rsh, just sh. I think lsof just stops when it finds any file with the right inode. Both rsh and sh are hardlinks.
0 Kudos
bobstar
Frequent Advisor

тАО03-22-2007 01:41 AM

тАО03-22-2007 01:41 AM

Re: rogue .sh processes

hi

i resolved the issue by killing the processes

thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.