Process troubleshooting - smbd

[RottenRonnie]

I'm a huge fan of the raspberrypi and have been using them for a number of years now, but I will be the first to admit that there are some processes that I don't understand in general.

I'd like to get some advice on how I can track down more information about a running process and perhaps what triggered it. I've noticed that smbd is running with 100% CPU and I'm trying to track down the root cause.

Code: Select all

PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
13636 pi        20   0  132212  25164  18156 R  94.1   0.3 503:25.52 smbd

HTOP shows a bit more information, owner is pi, command:

Code: Select all

/usr/sbin/smbd --foreground --no-process-group

Thank you in advance.

[thagrol]

smbd is the samba server daemon.

I'm unsure why it would be running like that though. Do you have an active large transfer going on?

[RottenRonnie]

I don't believe I have. I'm sitting at the office accessing headless via ssh at the moment.

[DougieLawson]

smbd is the samba server daemon.

I'm unsure why it would be running like that though. Do you have an active large transfer going on?

It's running as user `pi` as that's the user who is logged on from some remote station.

[hortimech]

I don't believe I have. I'm sitting at the office accessing headless via ssh at the moment.

Could that mean that you are in place 'A' and the pi is in place 'B' and you are connecting via the internet rather than a lan ?

If that is the case, you could have been hacked.

[thagrol]

smbd is the samba server daemon.

I'm unsure why it would be running like that though. Do you have an active large transfer going on?

It's running as user `pi` as that's the user who is logged on from some remote station.

Doh! Yes, I should have realised that.

[thagrol]

I don't believe I have. I'm sitting at the office accessing headless via ssh at the moment.

Could that mean that you are in place 'A' and the pi is in place 'B' and you are connecting via the internet rather than a lan ?

If that is the case, you could have been hacked.

Especially if the OP has exposed ssh to the internet while using the (old) default username and password.

[RottenRonnie]

I don't believe I have. I'm sitting at the office accessing headless via ssh at the moment.

Could that mean that you are in place 'A' and the pi is in place 'B' and you are connecting via the internet rather than a lan ?

If that is the case, you could have been hacked.

Especially if the OP has exposed ssh to the internet while using the (old) default username and password.

Guilty of using the pi user, but I changed the password to a complex one, use fail2ban and other limits in sshd_config such as AllowUsers and PAM = no, with ed25519 key exchange on a non standard port. /var/log/auth.log shows only accesses from two recognized external IPs. I would like to rule out hacked.

Is there a method for tracking down what started the process? To investigate the process itself?

The samba log config is bit of a rum go, as it logs by ip by default, and only a couple logs have content there. I tried setting it to log by share yesterday, but I don't think I succeeded and will revert the changes to the smb.conf.

Code: Select all

# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# log file = /var/log/samba/%S.log

Thank you.

[RottenRonnie]

It might have been an app on my iPhone which I connected via a samba share to my media library. I've deleted the app, and rebooted the pi to test my theory.

Cheers,

[RottenRonnie]

It might have been an app on my iPhone which I connected via a samba share to my media library. I've deleted the app, and rebooted the pi to test my theory.

Cheers,

A friend recommended Firecore Infuse app for iPhone which I installed and gave access to my samba share. The trouble there is the app would refresh at random intervals and cause the high CPU usage of the PI. I removed the app and it's no longer an issue. In future I may create a new samba user for situations like that, then I would be able to identify the process as belonging to user "xyz".

Thanks for your help.

"Nope, not hacked."