this post was submitted on 04 Nov 2023
44 points (76.8% liked)

Linux

48141 readers
492 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I am sorry this the only screenshot i have, my laptop fan suddenly started up and wouldnt stop for like an hour so i opened sytem monitor and this was taking 25% cpu usage

all 29 comments
sorted by: hot top controversial new old
[–] [email protected] 48 points 1 year ago* (last edited 1 year ago) (1 children)

more is a legitimate program (it reads a file and writes it out one page at a time), if it is the real more. It is a memory hog in that (unlike the more advanced pager less) it reads the entire file into memory.

I did an experiment to see if I could get the real more to show similar fds to you. I piped yes "" | head -n10000 >/tmp/test, then ran more < /tmp/test 2>/dev/null. Then I ran ls -l /proc/`pidof more`/fd.

Results:

lr-x------ 1 andrew andrew 64 Nov  5 14:56 0 -> /tmp/test
lrwx------ 1 andrew andrew 64 Nov  5 14:56 1 -> /dev/pts/2
l-wx------ 1 andrew andrew 64 Nov  5 14:56 2 -> /dev/null
lrwx------ 1 andrew andrew 64 Nov  5 14:56 3 -> 'anon_inode:[signalfd]'

I think this suggests your open files are probably consistent with the real more when errors are piped to /dev/null. Most likely, you were running something that called more to output something to you (or someone else logged in on a PTY) that had been written to /tmp/RG3tBlTNF8. Next time, you could find the parent of the more process, or look up what else is attached to the same PTS with the fuser command.

[–] [email protected] 10 points 1 year ago

Thank you after reading the comments i am relieved: I had saved a 3 page fully worded .odt as as .fodt and opened it with a text editor; but then again all the files had been closed and i deleted the file in question a at least 30 mins before i noticed the process; regardless thank you

[–] [email protected] 11 points 1 year ago* (last edited 1 year ago) (2 children)

~~Uhm, so what's the name of the binary? This is just a list of open files.~~ I missed that it's "more"...

[–] [email protected] 3 points 1 year ago (2 children)

Dude thinks 'more' is a virus.

[–] [email protected] 36 points 1 year ago* (last edited 1 year ago) (1 children)

A process can change its name. If I wanted to make sneaky malware for Linux, I'd have it call itself more or something innocuous too.

The correct answer is "this is not enough information". Why should a real more process eat ¼ of a core for any substantial amount of time?

[–] [email protected] 1 points 1 year ago (2 children)

is there like a competent antivirus i could use: the system is freshly installed and i havent used any shady software; everything from the repo and a hash checked tor browser(I didnt visit any shady site just clearnet browsing)

[–] [email protected] 11 points 1 year ago* (last edited 1 year ago)

Then it's probably just more. Again: your post did not contain enough information for anyone to provide an answer to your question.

Antivirus doesn't do what it promises. The only general solution for a compromised system is a clean reinstall. (This is true in Windows too.)

[–] [email protected] 2 points 1 year ago

is there like a competent antivirus i could use: the system is freshly installed and i havent used any shady software;

There are several antivirus solutions for Linux, but you shouldn't need them if you do not execute stuff you downloaded outside of your package manager. The maintainers of your distribution are supposed to check if their packages contain viruses.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Ooh, how'd I miss that..?

[–] [email protected] 1 points 1 year ago (2 children)

Sorry i was panickin and killed the process this the only screen shot i have

[–] [email protected] 10 points 1 year ago

If it's a virus presumably it will return. Keep an eye (or ear) on your fan, especially after a restart.

[–] [email protected] 4 points 1 year ago (1 children)

Id recommend you install "top" (I know nix funny names) and if run it, will show processes sortable by resource. But I think you are fine.

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (1 children)

htop and/or btop are more modern user friendly alternatives to the classic top

[–] [email protected] 5 points 1 year ago (2 children)

Ooh, I'd heard of htop but btop is new to me!

[–] [email protected] 7 points 1 year ago

Actually just saw btop mentioned on Lemmy the other day lol

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago)

Yeah, next time don't panic. Use ps and pstree and fuser (or the programs you like) to first find out the executable filename with full path and which program started it. Then you can kill it and you'll have some info to start debugging things.

[–] [email protected] 6 points 1 year ago

Check it in VirusTotal

[–] [email protected] 4 points 1 year ago (1 children)

Maybe? It could be numerous things. Are you using containers? Did an update or upgrade fail? Did you install and or patch something? Anything in sys logs giving off ERR or WARN? What’s your system and distro? What was the last few things you did before this popped?

[–] [email protected] 2 points 1 year ago (1 children)

Fedora 38. nothing installed

[–] [email protected] 1 points 1 year ago

What about the other questions?

[–] [email protected] 0 points 1 year ago