[CentOS] Load Average ~0.40 when idle

Mon Jul 21 12:06:54 UTC 2008
William Warren <hescominsoon at emmanuelcomputerconsulting.com>

the issue occurs even on a live cd so the machine's software load isn't 
suspect.  It's the nics.

Lorenzo Martínez Rodríguez wrote:
> William Warren escribió:
>> post it on the centos bug tracker to start..:)
>>
>> listmail wrote:
>>> On Sat, 19 Jul 2008 21:56:45 -0700, John R Pierce wrote
>>>> Stephen John Smoogen wrote:
>>>>> On Sat, Jul 19, 2008 at 2:48 PM, listmail <listmail at entertech.com> 
>>>>> wrote:
>>>>>  
>>>>>> I am running CentOS 5 on a dual-dual-core Intel machine, and I am 
>>>>>> seeing
>>>>>> a load average of between 0.35 and 0.50 while the machine is idle, 
>>>>>> i.e.
>>>>>> no processes appear to be running.
>>>>> Download the livecd and boot using it. See if the load average still
>>>>> occurs. Check to see if you have any traffic occuring on the network
>>>>> from the system. [I had a box that was kernel trojaned that had a load
>>>>> average all the time when it was on the wire and did not when it
>>>>> didn't. The kernel trojan was looking for a particular bit of traffic
>>>>> that would open up its backdoor to.]
>>>>>
>>>> its been ages since i've had to do this, but in years past, rkhunter 
>>>> was really good at finding rootkits like this.   worst case, you put 
>>>> it on alive CD and run it from there.
>>>>
>>> OK, I downloaded the CentOS 5.2 Live CD and booted from it. To eliminate
>>> load from the GUI, I forced the system into runlevel 3 and ran top.
>>> I see the same problem; the load average sits at about 0.40 
>>> continuously.
>>> This is with the ethernet drivers running, and it does not matter if the
>>> network cables are plugged in or not.
>>>
>>> In my mind, that pretty much eliminates the possibility of a rootkit, 
>>> unless
>>> one was delivered with the Live CD. :-)  So it looks like this is a bug
>>> in either the Intel GLAN driver, or some other kernel timing issue. 
>>> If anyone
>>> can suggest where this bug should be reported and is likely to be 
>>> addressed,
>>> please let me know. I don't know myself who would be the correct 
>>> party to
>>> notify.
>>>
>>> Thanks to everyone who responded and helped me track this one down. 
>>> I'm not
>>> sure if should roll back to CentOS 5.0, or just try to live with this 
>>> bug
>>> until the maintainers address it, but at least I have some idea of 
>>> what's
>>> wrong.
>>>
>>> Thanks,
>>> --Bill
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>
> Hello,
> 
> to try to find out if you have hidden processes I suggest you to try 
> this: http://www.security-projects.com/?Unhide
> 
> I have cronned it every night in my server.
> 
> It works really good. rkhunter is very good tool too.
> 
> Try both and let us know.
> 
> Another issue: What is the proposal of the machine? is it a web server? 
> mail server? dns server? Check that /etc/resolv.conf has the right 
> information and check the routes to get  access to different nerworks 
> too. If machine processor is idle, but the machine load is high, it 
> could be because the processes queue is very big, but the machine 
> processors could not be so overloaded.
> 
> 
> Regards,
> 

-- 
Registered Microsoft Partner

My "Foundation" verse:
Isa 54:17