question about memory usage in linux

Gregory Hill Gregory_Hill at tni.com
Tue Nov 22 09:34:17 MST 2005


I ran that script you sent and didn't notice anything out of the
ordinary.  That site had a link to a rootkit detector as well, which
didn't find anything.  Here's the requested output:

Free output:
             total       used       free     shared    buffers
cached
Mem:       1030956     979820      51136          0      97108
685876
-/+ buffers/cache:     196836     834120
Swap:      1052248      22664    1029584

Ps auxww output:
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  1308  448 ?        S    Nov21   0:03 init
root         2  0.0  0.0     0    0 ?        SW   Nov21   0:00 [keventd]
root         3  0.0  0.0     0    0 ?        SW   Nov21   0:00 [kapmd]
root         4  0.0  0.0     0    0 ?        SWN  Nov21   0:01
[ksoftirqd_CPU0]
root         9  0.0  0.0     0    0 ?        SW   Nov21   0:00 [bdflush]
root         5  0.0  0.0     0    0 ?        SW   Nov21   0:00 [kswapd]
root         6  0.0  0.0     0    0 ?        SW   Nov21   0:00
[kscand/DMA]
root         7  0.0  0.0     0    0 ?        SW   Nov21   1:09
[kscand/Normal]
root         8  0.0  0.0     0    0 ?        SW   Nov21   0:28
[kscand/HighMem]
root        10  0.0  0.0     0    0 ?        SW   Nov21   0:00
[kupdated]
root        11  0.0  0.0     0    0 ?        SW   Nov21   0:00
[mdrecoveryd]
root        15  0.0  0.0     0    0 ?        SW   Nov21   0:01
[kjournald]
root       621  0.0  0.0     0    0 ?        SW   Nov21   0:00
[kjournald]
root       905  0.0  0.0  1372  508 ?        S    Nov21   0:00 syslogd
-m 0
root       909  0.0  0.0  1304  360 ?        S    Nov21   0:00 klogd -x
root       959  0.0  0.0  3636  772 ?        S    Nov21   0:01
/usr/sbin/sshd
root       973  0.0  0.0  1972  740 ?        S    Nov21   0:00 xinetd
-stayalive -pidfile /var/run/xinetd.pid
ntp        985  0.0  0.2  2324 2316 ?        SL   Nov21   0:00 ntpd -U
ntp -g
root       991  0.0  0.0  3640   40 ?        S    Nov21   0:00 sbadm -f
/etc/ssh/.sbadm_config
root      1010  0.0  0.0  6132  560 ?        S    Nov21   0:00 sendmail:
accepting connections
smmsp     1019  0.0  0.0  5924  412 ?        S    Nov21   0:00 sendmail:
Queue runner at 01:00:00 for /var/spool/clientmqueue
root      1029  0.0  0.0  1356  120 ?        S    Nov21   0:00 crond
root      1044  0.0  0.0  4332   20 ?        S    Nov21   0:00 /bin/sh
/usr/bin/mysqld_safe --datadir=/var/lib/mysql
--pid-file=/var/lib/mysql/server1.kathihill.com.pid
mysql     1079  5.7  2.2 35800 23012 ?       S    Nov21   1:27
/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/lib/mysql/server1.kathihill.com.pid --skip-locking
--socket=/var/lib/mysql/mysql.sock
daemon    1109  0.0  0.0  1336  148 ?        S    Nov21   0:00
/usr/sbin/atd
root      1130  0.0  0.1  9292 1516 ?        S    Nov21   0:00
/usr/bin/perl /usr/local/webmin-1.240/miniserv.pl
/etc/webmin/miniserv.conf
root      1133  0.0  0.0  1280   48 tty1     S    Nov21   0:00
/sbin/mingetty tty1
root      1134  0.0  0.0  1280   48 tty2     S    Nov21   0:00
/sbin/mingetty tty2
root      1135  0.0  0.0  1280   48 tty3     S    Nov21   0:00
/sbin/mingetty tty3
root      1136  0.0  0.0  1280   48 tty4     S    Nov21   0:00
/sbin/mingetty tty4
root      1137  0.0  0.0  1280   48 tty5     S    Nov21   0:00
/sbin/mingetty tty5
root      1138  0.0  0.0  1280   48 tty6     S    Nov21   0:00
/sbin/mingetty tty6
root     10973  0.0  1.6 22216 17140 ?       S    09:04   0:00
/usr/local/apache/bin/httpd
nobody   10974  0.0  2.3 28464 23976 ?       S    09:04   0:03
/usr/local/apache/bin/httpd
nobody   10975  0.0  2.1 26884 22428 ?       S    09:04   0:02
/usr/local/apache/bin/httpd
nobody   10978  0.0  2.2 28172 23672 ?       S    09:04   0:04
/usr/local/apache/bin/httpd
nobody   10985  0.0  2.2 27712 23252 ?       S    09:04   0:03
/usr/local/apache/bin/httpd
nobody   10990  0.0  2.3 29180 24656 ?       S    09:04   0:04
/usr/local/apache/bin/httpd
nobody   10995  0.1  2.3 28360 23916 ?       S    09:04   0:04
/usr/local/apache/bin/httpd
nobody   11019  0.0  2.1 26260 21788 ?       S    09:05   0:02
/usr/local/apache/bin/httpd
nobody   11020  0.1  2.4 29344 24880 ?       S    09:05   0:08
/usr/local/apache/bin/httpd
jimbob   11191  0.0  0.0  2780  768 ?        S    09:25   0:00
./ventrilo_srv
root     13093  0.0  0.1  6712 1744 ?        S    10:19   0:00 sshd:
jimbob [priv]
jimbob   13096  0.0  0.1  6752 1996 ?        S    10:19   0:00 sshd:
jimbob at pts/0
jimbob   13097  0.0  0.1  4496 1424 pts/0    S    10:19   0:00 -bash
jimbob   13142  0.0  0.0  2572  708 pts/0    R    10:22   0:00 ps auxww


Greg

-----Original Message-----
From: plug-bounces at plug.org [mailto:plug-bounces at plug.org] On Behalf Of
Corey Edwards
Sent: Tuesday, November 22, 2005 9:15 AM
To: plug at plug.org
Subject: Re: question about memory usage in linux

On Tue, 2005-11-22 at 09:07 -0700, Gregory Hill wrote:
> Does anyone know why top would report active memory usage far above
that
> used by the combination of all its processes?  Even listing in
threaded
> mode, the total of all processes memory usage adds up to several
hundred
> megabytes less than the 'active' memory usage listed in the summary.
> It's a recent problem, but the memory and swap gets completely full,
> requiring a full reboot to fix.  Killing mysql and apache (which are
the
> only things using anything above 1% of memory) still leaves several
> hundred megabytes of 'active' memory usage.  I tried using ps, but it
> doesn't show anything that wasn't listed by top.  Is there a better
tool
> to see what is using memory and what is not?  It's possible that some
> mod_perl code has a memory leak, but usually the apache processes
would
> reflect that.  They don't.  I'm completely stumped.  Could it be
failing
> RAM?  Could someone have hacked the box and planted some super secret
> program that doesn't show up in ps or top (or even replaced them with
> alternate versions that don't show everything)?

Please send us the output of ps and free.

Generally I'd be pretty doubtful of a kernel memory leak. Have you taken
into account the aggressive file caching that Linux does? Just about
every scrap of available RAM will be used for file cache if nothing else
needs it.

If you're worried about a possible rootkit, you might check out listps.
It will evade user level rootkits.

        http://csl.sublevel3.org/listps/

Corey




More information about the PLUG mailing list