Botnets in Linux

In Linux, zombie processes are similar to actual botnets (although I have never seen them). Even though they are dead, they can still be moved around because no one has given them a zombie. A zombie process refers to processes that have been terminated, but still retain some information, waiting for its parent process to collect the dead.

How are zombie processes produced?
If a process stops, it recycles all the resources allocated to it, and the system will not generate the so-called zombie process. So what information will be retained after a process is terminated? Why do I need to retain this information after termination?

There are many methods to terminate a process. After a process is terminated, some information is useful to the parent process and the kernel, such as the process ID, process exit status, and CPU time of the process. Therefore, when a process is terminated, it recycles all the memory allocated to it by the kernel, closes all files opened by it, and so on. However, it retains a very small amount of information for the parent process to use. The parent process can use system calls such as wait and waitpid to clean up the child process and do some final work.

Therefore, the process of a zombie process is: after the parent process calls fork to create a child process, the child process runs until it is terminated, and it is immediately removed from the memory, however, the process descriptor remains in the memory (the process descriptor occupies a small amount of memory space ). The sub-process status changes to EXIT_ZOMBIE and sends a SIGCHLD signal to the parent process. The parent process should call the wait () System Call to obtain the sub-process exit status and other information. After wait is called, the zombie process is completely removed from the memory. Therefore, when a zombie stops calling functions such as wait by the parent process, it usually disappears soon. However, if programming is unreasonable, the parent process never calls wait or other system calls to collect zombie processes, so these processes will always exist in the memory.

In Linux, we can use commands such as ps to view zombie processes in the system. The status of zombie processes is marked as 'Z ':

Generate a zombie Process
According to the above description, we can easily write a program to generate a zombie process, as shown in the following code:

# Include <stdio. h>
# Include <sys/types. h>

Int main ()
{
// Fork a child process
Pid_t pid = fork ();

If (pid> 0) // parent process
{
Printf ("in parent process, sleep for one miniute... zZ... \ n ");
Sleep (60 );
Printf ("after sleeping, and exit! \ N ");
}
Else if (pid = 0)
{
// Child process exit, and to be a zombie process
Printf ("in child process, and exit! \ N ");
Exit (0 );
}

Return 0;
}
The parent process does not write a system call function such as wait. Therefore, after the child process exits, it becomes a zombie process and the parent process does not collect the dead for it. Run the following command to compile and run the process and view the process status in the system:

Www.bkjia.com @ bkjia :~ /Documents $ gcc zombie. c-o zombie
Www.bkjia.com @ bkjia :~ /Documents $./zombie
In parent process, sleep for one miniute... zZ...
In child process, and exit!

For more details, please continue to read the highlights on the next page:

Zombie processes in Linux

Processing of zombie processes in Linux

Linux botnets run faster than Windows

Getting started with Linux: Killing zombie Processes

Detailed analysis of Linux botnets and common ps usage

1 2 Next Page