question about memory usage in linux
Gregory Hill
Gregory_Hill at tni.com
Tue Nov 22 09:34:17 MST 2005
I ran that script you sent and didn't notice anything out of the
ordinary. That site had a link to a rootkit detector as well, which
didn't find anything. Here's the requested output:
Free output:
total used free shared buffers
cached
Mem: 1030956 979820 51136 0 97108
685876
-/+ buffers/cache: 196836 834120
Swap: 1052248 22664 1029584
Ps auxww output:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1308 448 ? S Nov21 0:03 init
root 2 0.0 0.0 0 0 ? SW Nov21 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Nov21 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN Nov21 0:01
[ksoftirqd_CPU0]
root 9 0.0 0.0 0 0 ? SW Nov21 0:00 [bdflush]
root 5 0.0 0.0 0 0 ? SW Nov21 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW Nov21 0:00
[kscand/DMA]
root 7 0.0 0.0 0 0 ? SW Nov21 1:09
[kscand/Normal]
root 8 0.0 0.0 0 0 ? SW Nov21 0:28
[kscand/HighMem]
root 10 0.0 0.0 0 0 ? SW Nov21 0:00
[kupdated]
root 11 0.0 0.0 0 0 ? SW Nov21 0:00
[mdrecoveryd]
root 15 0.0 0.0 0 0 ? SW Nov21 0:01
[kjournald]
root 621 0.0 0.0 0 0 ? SW Nov21 0:00
[kjournald]
root 905 0.0 0.0 1372 508 ? S Nov21 0:00 syslogd
-m 0
root 909 0.0 0.0 1304 360 ? S Nov21 0:00 klogd -x
root 959 0.0 0.0 3636 772 ? S Nov21 0:01
/usr/sbin/sshd
root 973 0.0 0.0 1972 740 ? S Nov21 0:00 xinetd
-stayalive -pidfile /var/run/xinetd.pid
ntp 985 0.0 0.2 2324 2316 ? SL Nov21 0:00 ntpd -U
ntp -g
root 991 0.0 0.0 3640 40 ? S Nov21 0:00 sbadm -f
/etc/ssh/.sbadm_config
root 1010 0.0 0.0 6132 560 ? S Nov21 0:00 sendmail:
accepting connections
smmsp 1019 0.0 0.0 5924 412 ? S Nov21 0:00 sendmail:
Queue runner at 01:00:00 for /var/spool/clientmqueue
root 1029 0.0 0.0 1356 120 ? S Nov21 0:00 crond
root 1044 0.0 0.0 4332 20 ? S Nov21 0:00 /bin/sh
/usr/bin/mysqld_safe --datadir=/var/lib/mysql
--pid-file=/var/lib/mysql/server1.kathihill.com.pid
mysql 1079 5.7 2.2 35800 23012 ? S Nov21 1:27
/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/lib/mysql/server1.kathihill.com.pid --skip-locking
--socket=/var/lib/mysql/mysql.sock
daemon 1109 0.0 0.0 1336 148 ? S Nov21 0:00
/usr/sbin/atd
root 1130 0.0 0.1 9292 1516 ? S Nov21 0:00
/usr/bin/perl /usr/local/webmin-1.240/miniserv.pl
/etc/webmin/miniserv.conf
root 1133 0.0 0.0 1280 48 tty1 S Nov21 0:00
/sbin/mingetty tty1
root 1134 0.0 0.0 1280 48 tty2 S Nov21 0:00
/sbin/mingetty tty2
root 1135 0.0 0.0 1280 48 tty3 S Nov21 0:00
/sbin/mingetty tty3
root 1136 0.0 0.0 1280 48 tty4 S Nov21 0:00
/sbin/mingetty tty4
root 1137 0.0 0.0 1280 48 tty5 S Nov21 0:00
/sbin/mingetty tty5
root 1138 0.0 0.0 1280 48 tty6 S Nov21 0:00
/sbin/mingetty tty6
root 10973 0.0 1.6 22216 17140 ? S 09:04 0:00
/usr/local/apache/bin/httpd
nobody 10974 0.0 2.3 28464 23976 ? S 09:04 0:03
/usr/local/apache/bin/httpd
nobody 10975 0.0 2.1 26884 22428 ? S 09:04 0:02
/usr/local/apache/bin/httpd
nobody 10978 0.0 2.2 28172 23672 ? S 09:04 0:04
/usr/local/apache/bin/httpd
nobody 10985 0.0 2.2 27712 23252 ? S 09:04 0:03
/usr/local/apache/bin/httpd
nobody 10990 0.0 2.3 29180 24656 ? S 09:04 0:04
/usr/local/apache/bin/httpd
nobody 10995 0.1 2.3 28360 23916 ? S 09:04 0:04
/usr/local/apache/bin/httpd
nobody 11019 0.0 2.1 26260 21788 ? S 09:05 0:02
/usr/local/apache/bin/httpd
nobody 11020 0.1 2.4 29344 24880 ? S 09:05 0:08
/usr/local/apache/bin/httpd
jimbob 11191 0.0 0.0 2780 768 ? S 09:25 0:00
./ventrilo_srv
root 13093 0.0 0.1 6712 1744 ? S 10:19 0:00 sshd:
jimbob [priv]
jimbob 13096 0.0 0.1 6752 1996 ? S 10:19 0:00 sshd:
jimbob at pts/0
jimbob 13097 0.0 0.1 4496 1424 pts/0 S 10:19 0:00 -bash
jimbob 13142 0.0 0.0 2572 708 pts/0 R 10:22 0:00 ps auxww
Greg
-----Original Message-----
From: plug-bounces at plug.org [mailto:plug-bounces at plug.org] On Behalf Of
Corey Edwards
Sent: Tuesday, November 22, 2005 9:15 AM
To: plug at plug.org
Subject: Re: question about memory usage in linux
On Tue, 2005-11-22 at 09:07 -0700, Gregory Hill wrote:
> Does anyone know why top would report active memory usage far above
that
> used by the combination of all its processes? Even listing in
threaded
> mode, the total of all processes memory usage adds up to several
hundred
> megabytes less than the 'active' memory usage listed in the summary.
> It's a recent problem, but the memory and swap gets completely full,
> requiring a full reboot to fix. Killing mysql and apache (which are
the
> only things using anything above 1% of memory) still leaves several
> hundred megabytes of 'active' memory usage. I tried using ps, but it
> doesn't show anything that wasn't listed by top. Is there a better
tool
> to see what is using memory and what is not? It's possible that some
> mod_perl code has a memory leak, but usually the apache processes
would
> reflect that. They don't. I'm completely stumped. Could it be
failing
> RAM? Could someone have hacked the box and planted some super secret
> program that doesn't show up in ps or top (or even replaced them with
> alternate versions that don't show everything)?
Please send us the output of ps and free.
Generally I'd be pretty doubtful of a kernel memory leak. Have you taken
into account the aggressive file caching that Linux does? Just about
every scrap of available RAM will be used for file cache if nothing else
needs it.
If you're worried about a possible rootkit, you might check out listps.
It will evade user level rootkits.
http://csl.sublevel3.org/listps/
Corey
More information about the PLUG
mailing list