Phantom Disk Usage - 20 gigs gone overnight, comes back half an hour after disconnecting from the in

Discussion in 'Apple' started by jg, Jul 24, 2007.

  1. jg

    jg Guest

    I have a problem that leads me to believe that I may have been hacked;
    and honestly, I'm clueless when it comes to security auditing.

    The problem:

    I spent the night at my girlfriend's with my Macbook Pro (running OS X
    10.4.1) connected straight to her ADSL modem (no intervening router).
    Additionally, without my realizing it the airport had decided to connect
    to some random open WAP. When I woke in the morning to my iTunes alarm
    scheduled with iCal I was presented with a message saying that iTunes
    could not save it's library as there was no more disk space available.
    When I went to sleep I had had 20 gigs free and was running no
    applications that I was aware of. Realizing how vulnerable my
    connection potentially was I immediately pulled the plug on the wired
    internet, and turned off my airport to isolate the machine.

    I should note here that I had more than a few services running and
    passing through my firewall, including Personal File Sharing, Windows
    Sharing, Personal Web Sharing, Remote Login, FTP Access, and Printer
    Sharing. I also had a few random ports open for other specific
    programs. Ive since shut down every service and completely closed my

    After I had isolated the machine I opened up activity monitor and
    noticed that my CPU is thrashing at 99% and still is an hour later. The
    primary culprits are:

    Application CPU%
    NortonAutoProtect 70%
    WindowServer 46%
    lookupd 46%
    mds 23%
    kernel_task 7.8%

    as that adds up to 192% I imagine I have 200% available due to my duel
    core. I'm running a search right now (described below) so mds doesnt
    bother me so much, dunno how much windowserver normally takes, Norton
    sucks horribly anyway...the one that really bothers me is lookupd...

    My Partition size is 93 Gb. Of that roughly 19 Gb was free last night,
    0 Kb when I woke up, and now, about half an hour after killing the
    internet and starting up activity manager 14 Gb just magically appeared.
    As soon as I realized the disk had changed dramatically I started a
    spotlight search for all files opened since midnight, so far it hasnt
    spawned anything I wouldnt expect and also explains probably explains
    the mds usage above. While that was running I did a show info on every
    directory visible in my partitions root from finder and added up it's
    disk came out to 79 Gb -- leaving 14 Gb free and unaccounted
    for at a time when every other tool (show info on the partition
    itself/Activity monitor) showed 0 Kb available.

    So...those are my symptoms -- phantom disk maxing and continuing CPU

    Does anyone have any suggestions as to any logs I should check or
    anything else I should be doing? Any idea what the hell happened? Is
    this posted in the wrong newsgroup? Any advice you might have would be
    appreciated and I thank-you in advance.
    jg, Jul 24, 2007
    1. Advertisements

  2. If an application allocates more and more memory the OS will increase
    its virtual memory which then eats up the free disk space. This may
    explain why you get back the disk space later when the virtual memory is
    back to normal. In case this happens again, have a look at the memory
    usage of the applications in Activity Monitor. This may give you a hint,
    which application is causing the trouble.
    Alexander Clauss, Jul 24, 2007
    1. Advertisements

  3. Another possibility is massive creeping log files, cured by a cron
    script smashing them into compressed format..or temporary files deleted
    on reboot, automagically.
    The Natural Philosopher, Jul 24, 2007
  4. jg

    David Empson Guest

    I assume that is a typo - should be 10.4.10 (a MacBook Pro can't run
    10.4.1 anyway).
    A very likely explanation for the observed disk space behaviour is
    virtual memory.

    One or more of your applications or server processes was allocating vast
    amounts of memory, and the system kept creating swap files to satisfy
    the requests until it ran out of disk space.

    Whatever you did to "stop it" caused the memory hog to exit, which
    released all of its memory, and the system was able to delete the
    virtual memory swap files to free up disk space.
    You would need some way to identify which process was responsible for
    allocating vast amounts of memory. It is unlikely that there will be
    much in the way of logs to help diagnose this after the fact, as the
    virtual memory system wouldn't have been able to log anything while the
    disk was full. I don't know if it logs anything preemptively, e.g. if it
    notices a process consuming an "unreasonable and growing" amount of
    memory, but there might be diagnostic tools that can do this sort of

    On 32-bit computers, a single process cannot allocate more than about 2
    GB total, but on 64-bit computers (PowerPC G5 and Intel Core 2 Duo) the
    maximum memory per process is likely to exceed the total size of the
    hard drive, so there is nothing to stop a runaway memory bug from
    causing major problems.

    One would expect that the system should have a reasonable method of
    limiting this sort of misbehaviour, e.g. imposing a much smaller maximum
    on the amount of memory which can be allocated to a process, and
    refusing to allocate more once the limit is reached. I don't know if Mac
    OS X has any such mechanism.

    A similar problem would be something causing a massive number of child
    processes to be spawned, with their total memory requirements exceeding
    the available RAM plus hard drive space.

    It might have been some kind of denial of service attack, and if it
    involved a server process, that process might have been logging evidence
    of the source (e.g. the web server logs in /var/log/httpd).
    David Empson, Jul 24, 2007
  5. A trawl through the logs is certainly the first place to look.

    Star by simply looking in /var/log for largest and newest files..
    The Natural Philosopher, Jul 24, 2007
  6. Well, if I was to guess at the culprit, this would be it.

    I don't know of anyone who recommends running Norton _anything_ on an
    OS X Mac.
    These look like victims of Norton to me.

    WindowServer can be driven to large CPU by excessive requests by an
    application to do window updates, and driving lookupd to near 50%
    of a CPU (core) suggests that an application is trying over and over
    to look up a (possibly non-existent) IP address.

    Smells like Norton running wild to me...
    James Glidewell, Jul 24, 2007
  7. jg

    Andy Guest

    I'm not at all a betting man, but I *would* be willing to bet a small
    amount of cash that Norton is the cause of this bizarre behaviour.

    Uninstall it. It's unnecessary and causes more problems than it solves.

    Andy, Jul 25, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.