Mysterious '-sh' process stealing 60% of CPU. (See comparison screenshot)

[EricNelson]

The screenshot shows two almost identical controllers. I wasn't able to connect to the 192.168.135.26 controller through composer, but I could connect through putty, and I found that 90% of the CPU was being taken up by the Director and two '-sh' commands. 

Does anyone have an idea of what would cause this? Or what the -sh means?

These are both HC250s with approximately the same amount of switches, contact sensors, and motion sensors connected. 

Thanks!

Eric

[pstuart]

Is either port forwarded?  Has the root password changed?  Does it persist after reboot?

[EricNelson]

Excuse my ignorance, Is the port forwarding something that would be done on the router that it's connected to? Or something from the controller? I didn't set up the network, but it is possible that someone configured port forwarding on a router. 

The root password is still t0talc0ntr0l4!

I've rebooted this device more than 10 times and also tried 'sysman restart'. It rarely shows up in the composer controller list, is never able to connect, and has the same CPU usage

Thanks!

 

 

[rosenqui]

On Unix/Linux that normally means it's a login shell, i.e., a /bin/sh process running interactively. The shell changes its behaviour a bit when run interactively vs. executing a script. It only reads ~/.profile or ~/.login when interactive for example.

 

Try running "ps -ef" and see what tty those processes are using. You can use "last" or "who" to see what the system reports for interactive sessions.

 

On Linux you can get a lot of good info by looking around in /proc/<pid>, so /proc/8968 in the case of your screenshot.

[EricNelson]

So if the -sh is a login shell, why would 192.168.135.26 have two of them running at 30%? And the other controller (despite being logged into) not have the -sh process?

 

running ps -ef :
~# ps -ef 

  PID USER       VSZ STAT COMMAND

    1 root      2000 S    init

    2 root         0 SW   [kthreadd]

    3 root         0 SW   [ksoftirqd/0]

    4 root         0 SW   [watchdog/0]

    5 root         0 SW   [events/0]

    6 root         0 SW   [khelper]

   10 root         0 SW   [async/mgr]

  138 root         0 SW   [sync_supers]

  140 root         0 SW   [bdi-default]

  142 root         0 SW   [kblockd/0]

  151 root         0 SW   [omap2_mcspi]

  162 root         0 SW   [ksuspend_usbd]

  166 root         0 SW   [khubd]

  175 root         0 SW   [twl4030-irqchip]

  176 root         0 SW   [twl4030-irq]

  208 root         0 SW   [kmmcd]

  226 root         0 SW   [musb_hdrc]

  234 root         0 SW   [khungtaskd]

  235 root         0 SW   [kswapd0]

  236 root         0 SW   [aio/0]

  237 root         0 SW<  [kslowd000]

  238 root         0 SW<  [kslowd001]

  239 root         0 SW   [crypto/0]

  245 root         0 SW   [crypto]

  246 root         0 SW   [crypto_ret]

  247 root         0 SW   [dsi]

  453 root         0 SW   [mtdblockd]

  536 root         0 SW   [usbhid_resumer]

  562 root         0 SW   [mmcqd]

  584 root         0 SWN  [jffs2_gcd_mtd4]

  589 root         0 SWN  [jffs2_gcd_mtd10]

  683 root         0 SW   [jbd2/mmcblk0p1-]

  684 root         0 SW   [ext4-dio-unwrit]

  688 root         0 SW   [jbd2/mmcblk0p2-]

  689 root         0 SW   [ext4-dio-unwrit]

 1059 root         0 SW   [tps2533_work/0]

 1097 root      1528 S    /control4/bin/watchdogd

 1406 root      1764 S    /usr/sbin/atftpd --daemon --user root root /control4/

 1519 root      2000 S    /bin/sh /control4/bin/sysmand-wrapper

 1520 root      2000 S    init

 1529 root      6448 S    /control4/bin/sysmand --from-init

 1574 root      2000 S    /bin/sh /control4/bin/net-watchdog

 1689 root     25564 S    upmand

 1757 root     44548 S    /sbin/syslogd -x -i /var/run/syslogd.pid

 1831 root      2444 S    /usr/sbin/dropbear -P /var/run/dropbear.pid

 1832 root      2004 S    -sh

 1969 root      1868 S    sleep 20

 1970 root      2004 R    ps -ef

 8968 root      2004 R    -sh

28953 root      2004 R    -sh

29012 root      2000 S    crond

29018 root      1984 S    lighttpd -f /etc/lighttpd.conf -m /lib/lighttpd

29019 root      8508 S    c4server

29020 root      8716 S    /control4/bin/c4perfd

29034 root     13180 S <  audioserver

29035 root     11260 S    ioserver

29036 root      3020 S    /control4/bin/sddpd

29045 root      8756 S    netusbserver

29051 root      3472 S    /usr/sbin/nmbd -D

29063 root      5908 S    /usr/sbin/smbd -D

29073 root      8828 S    upslaved

29080 root      5908 S    /usr/sbin/smbd -D

29097 root     22648 S    /control4/bin/rhapServer

29103 root     11092 S    zap -d

29113 root      5600 S    /usr/sbin/snmpd -c /etc/snmp/snmpd.conf.local -Ln -p

29119 root     47240 S    zserver2 -d

29121 root     11096 S    driverwizd

29161 root     37420 S N  /control4/bin/c4lookup

29338 root      109m R    director

29390 root      6448 S    /control4/bin/sysmand --from-init

29461 root      3068 S    /usr/sbin/ntpd -g -p /var/run/ntpd.pid

29498 root      3068 S    /usr/sbin/ntpd -g -p /var/run/ntpd.pid

29787 root      2212 S    /usr/sbin/dropbear -P /var/run/dropbear.pid

~#

 

running "/proc/8968" returns:        -sh: /proc/8968: Permission denied



 

[rosenqui]

Don't try to run /proc/8968, it's the root directory of a virtual file system that gives you a bunch of info about PID 8968. Run "ls -l /proc/8968" and you'll see folders like "fd" which shows you all of the open file descriptors, /proc/8968/net/tcp which you can read (via "cat /proc/8968/net/tcp") to see PID 8968's current TCP connections, etc.

 

More info on goodies found under /proc is here: http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

 

The shell could be running a script that's looping, or it could be stuck trying to clean up a disconnected ssh connection.

 

Running "cat -v /proc/8968/cmdline" might tell you a bit more, but most likely you'll just see "-sh^@"

[EricNelson]

Running   "ls -l /proc/8968" :
 

~# ls -l /proc/8968

-r--------    1 root     root            0 Sep 20 23:52 auxv

--w-------    1 root     root            0 Sep 20 23:52 clear_refs

-r--r--r--    1 root     root            0 Sep 12 01:34 cmdline

-rw-r--r--    1 root     root            0 Sep 20 23:52 comm

-rw-r--r--    1 root     root            0 Sep 20 23:52 coredump_filter

lrwxrwxrwx    1 root     root            0 Sep 20 23:52 cwd -> /

-r--------    1 root     root            0 Sep 20 23:52 environ

lrwxrwxrwx    1 root     root            0 Sep 12 01:34 exe -> /bin/busybox

dr-x------    2 root     root            0 Sep 12 01:31 fd

dr-x------    2 root     root            0 Sep 20 23:52 fdinfo

-r--------    1 root     root            0 Sep 20 23:52 limits

-r--r--r--    1 root     root            0 Sep 20 23:52 maps

-rw-------    1 root     root            0 Sep 20 23:52 mem

-r--r--r--    1 root     root            0 Sep 20 23:52 mountinfo

-r--r--r--    1 root     root            0 Sep 20 23:52 mounts

-r--------    1 root     root            0 Sep 20 23:52 mountstats

dr-xr-xr-x    3 root     root            0 Sep 20 23:52 net

-rw-r--r--    1 root     root            0 Sep 20 23:52 oom_adj

-r--r--r--    1 root     root            0 Sep 20 23:52 oom_score

-r--------    1 root     root            0 Sep 20 23:52 pagemap

-r--------    1 root     root            0 Sep 20 23:52 personality

lrwxrwxrwx    1 root     root            0 Sep 20 23:52 root -> /

-r--r--r--    1 root     root            0 Sep 20 23:52 smaps

-r--r--r--    1 root     root            0 Sep 12 01:34 stat

-r--r--r--    1 root     root            0 Sep 20 23:52 statm

-r--r--r--    1 root     root            0 Sep 20 23:52 status

dr-xr-xr-x    3 root     root            0 Sep 20 23:52 task

-r--r--r--    1 root     root            0 Sep 20 23:52 wchan

~#

So September 20th was a bad day for this controller haha? Also September 12th is my birthday, am I being haunted by C4 Demons? Daemons?

But seriously all of this information is cool to see. But how would I identify a script that is looping? How would I stop it?

Thanks!

ps: Running "cat -v /proc/8968/cmdline" gave me -sh^@ (or similar)

[EricNelson]

I fixed my problem by killing everything that got in my way. 

I ran:

'kill -sigkill 8968'   

'kill -sigkill 28953'

 

...for the '-sh' and then finally for the director with a pid of 29338

 

'kill -sigkill 29338'

Eventually the director restarted (the -sh process didn't restart) and then the controller appeared on the composer list normally, and now everything works. 

Thanks for the help everyone!





 

[msgreenf]

I would recommend not sshing into the controller and killing process if you don't know what you are doing

Sent from my XT1060 using Tapatalk