Solved

Process suddenly starts using lots of CPU

Posted on 2003-11-23
8
491 Views
Last Modified: 2012-05-04
I have a java chat socket (nexusServer) running on my system. Under normal circumstances, it only uses few resources as it's just a socket passing on data to the actual IRC channel, not a full IRC application itself.

A couple of days ago, nexusServer suddenly started to go really heavily on the CPU (80-100%), and using "top" I could also see that the time running was climbing almost identical to real time (under normal use, it usually stays at 0:00 because the connection times are really short). I watched it for a bit, and after 1:30 hours finally killed the process. I waited a while, then restarted it, and again for about a minute it did the same thing (going heavy on the CPU) and then suddenly went back to normal.

I am assuming that someone was massively scanning the particular port, or that it was maybe even a DoS attack of some kind. Needless to say that I am somewhat concerned. I've only had the server for a couple of months, and although I am trying to learn, I am still far from being an expert. So is my assessment/guess correct that such a behavior can be triggered from the outside without security having been compromised? And I assume that whether or not such an event might LEAD to a security compromise basically relies on the program listening to that port (nexusServer in this case) and whether or not is has some security flaw (leading to a stack overflow or whatever) that the attacker can use to his advantage?

Or am I totally on the wrong track and what I have described can much more likely be caused by...?

Many thanks in advance!
0
Comment
Question by:yosmc
8 Comments
 
LVL 12

Expert Comment

by:paullamhkg
ID: 9808593
Not so sure is the hacking activities or the program have a leak, anyway, have a look here for setup a secure linux http://www.tldp.org/HOWTO/Security-HOWTO/index.html at lease you can protect your linux box.
0
 

Author Comment

by:yosmc
ID: 9808808
Thanks for the link, Paul (actually that's one of the pages I used when I set up the server, but it's a good idea to check into it again). What about the leak theory? I'm currently leaning slightly into that direction, because the chat socket also showed above behavior after the last "regular" chat session. However, while I think I understand how a leak can eat up more and more RAM, I'm not quite sure how it can consume more and more CPU time. Any ideas?
0
 

Author Comment

by:yosmc
ID: 9850944
This problem is still haunting me. I am pretty sure by now that there is actually some sort of "leak" - essentially, when we have a scheduled chat, the CPU usage slowly rises but never goes back, even when the chat is over and everyone is gone.

I'm kinda lost here, because (as stated above) I can understand how a leak can consume your RAM, but not sure how this might work with CPU time. I'm not looking for the ultimate wisdom here - any hints and even guesses are welcome, whoever inspires me to find a solution will get the points.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 3

Expert Comment

by:mac_
ID: 10204587
Does nexusServer really closes the closed sockets after a while ? (have a look at netstat -an)

Is there IP traffic on this port ? (tcpdump)

At worst (and if it still haunts you), you can try to debug the program by running it in a debugger or profiler...
0
 

Author Comment

by:yosmc
ID: 10262660
Thanks for the suggestions. It seems like I was finally able to solve the problem (knocking of wood), and the solution was quite interesting!

In the End, requiring a higher version of Flash from the user clients did the trick. Seems like the problem only occurred when someone connected to the chat who was running Flash 5 on his machine. Saving the client in Flash 6 and forcing everyone to upgrade obviously made the problem go away. A friend pointed me to this possiblility - I had never thought of it! :)
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 10267272
Since you solve your problem yourself, please post a 0 point request to EE admin here http://www.experts-exchange.com/Community_Support/  request to closed and points refund :)
0
 
LVL 2

Accepted Solution

by:
Lunchy earned 0 total points
ID: 10299099
PAQed, with points refunded (500)

Lunchy
Friendly Neighbourhood Community Support Admin
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now