Linux botnets and linux botnets

Linux botnets and linux botnets

Zombie process concept

Zombie process (Zombie process) generally refers to the processes that have been terminated, but still retain some information, waiting for its parent process to collect the dead. written form: A process is finished, but its parent process is not waiting (calling wait/waitpid), then it will become a zombie process. Run the ps command to view its defunct flag. A zombie process is a dead process, but it still occupies a slot in the processs table ).

However, if the parent process of the process has ended, the process will not become a zombie process. Because at the end of each process, the system will scan all processes running in the current system to see if any process is a child process of the process that has just ended. If yes, the Init process takes over the process and becomes its parent process to ensure that each process has a parent process. The Init process automatically wait its sub-processes, so all processes taken over by Init will not become zombie processes.

The Process status corresponding to ZOMBIE includes RUNNING, UNINTERRUPTABLE, INTERRUPTABLE, and STOPPED.

Wikipedia about botnets:

On Unix and Unix-like computer operating systems, a zombie process or defunct process is a process that has completed execution (via the exit system call) but still has an entry in the process table: it is a process in the "Terminated state ". this occurs for child processes, where the entry is still needed to allow the parent process to read its child's exit status: once the exit status is read via the wait system call, the zombie's entry is removed from the process table and it is said to be "reaped ". A child process always first becomes a zombie before being removed from the resource table. in most cases, under normal system operation zombies are immediately waited on by their parent and then reaped by the system-processes that stay zombies for a long time are generally an error and cause a resource leak.

The term zombie process derives from the common definition of zombie-an undead person. in the term's metaphor, the child process has "died" but has not yet been "reaped ". also, unlike normal processes, the kill command has no effect on a zombie process.

Zombie processes shocould not be confused with orphan processes: an orphan process is a process that is still executing, but whose parent has died. these do not remain as zombie processes; instead, (like all orphaned processes) they are adopted by init (process ID 1), which waits on its children. the result is that a process that is both a zombie and an orphan will be reaped automatically.

View zombie Processes

View the zombie processes in the system. There are many methods, such as top commands and ps commands.

In addition, the use of ps and grep commands can also view zombie processes, of course, there are many forms, as shown below.

[root@mylnx01 ~]# ps aux | grep Zs |  grep -v grep

oracle    2002  0.0  0.0      0     0 ?        Zs   02:44   0:00 [sh] <defunct>

oracle    2013  0.0  0.0      0     0 ?        Zs   02:46   0:00 [sh] <defunct>

[root@mylnx01 ~]# 

[root@mylnx01 ~]# ps -ef | grep defunct

oracle    2002  4788  0 02:44 ?        00:00:00 [sh] <defunct>

oracle    2013  4788  0 02:46 ?        00:00:00 [sh] <defunct>

[root@mylnx01 ~]# 

[root@mylnx01 ~]# ps -A -ostat,ppid,pid,cmd | grep -e '^[Zz]'

Zs    4788  2002 [sh] <defunct>

Zs    4788  2013 [sh] <defunct>

[root@mylnx01 ~]# 

Command to view the number of zombie Processes

[root@mylnx01 ~]# ps -ef | grep defunct | grep -v grep | wc -l

2

BotNet detection and removal

Killing a zombie process is sometimes a headache. A zombie process sometimes cannot be killed, and sometimes cannot be killed.

There are two methods to kill a botnet:

1: Find the parent process of the defunct zombie process and kill the parent process of the process. The defunct process will automatically disappear.

2: restart the server.

 

View and kill botnets

ps -ef | grep defunct | grep -v grep | awk {print "kill -9 " $2,$3}

In general, it is not recommended to kill these zombie processes in a reckless manner. Check the specific cause and then perform the killing based on the actual situation, as shown below.

[root@mylnx01 ~]# ps -ef | grep defunct

oracle    2002  4788  0 02:44 ?        00:00:00 [sh] <defunct>

oracle    2013  4788  0 02:46 ?        00:00:00 [sh] <defunct>

root     12348 10441  0 12:18 pts/11   00:00:00 grep defunct

[root@mylnx01 ~]# cat /proc/2002/stack

[<ffffffff8105b9f5>] do_exit+0x67d/0x696

[<ffffffff8105baae>] sys_exit_group+0x0/0x1b

[<ffffffff8105bac5>] sys_exit_group+0x17/0x1b

[<ffffffff81011db2>] system_call_fastpath+0x16/0x1b

[<ffffffffffffffff>] 0xffffffffffffffff

[root@mylnx01 ~]# cat /proc/2013/stack

[<ffffffff8105b9f5>] do_exit+0x67d/0x696

[<ffffffff8105baae>] sys_exit_group+0x0/0x1b

[<ffffffff8105bac5>] sys_exit_group+0x17/0x1b

[<ffffffff81011db2>] system_call_fastpath+0x16/0x1b

[<ffffffffffffffff>] 0xffffffffffffffff

[root@mylnx01 ~]# cat /proc/4788/stack

[<ffffffff811de86e>] sys_semtimedop+0x68b/0x7e7

[<ffffffff81011db2>] system_call_fastpath+0x16/0x1b

[<ffffffffffffffff>] 0xffffffffffffffff

[root@mylnx01 ~]# 

 

[root@mylnx01 ~]# lsof -p 4788

COMMAND  PID   USER   FD   TYPE DEVICE      SIZE     NODE NAME

oracle  4788 oracle  cwd    DIR  253,6      4096  7880901 /u01/app/oracle/product/10.2.0/db_1/dbs

oracle  4788 oracle  rtd    DIR  253,0      4096        2 /

oracle  4788 oracle  txt    REG  253,6 104559054  7884256 /u01/app/oracle/product/10.2.0/db_1/bin/oracle

oracle  4788 oracle  DEL    REG    0,4            3211268 /SYSVdf6790e8

oracle  4788 oracle  mem    REG  253,0    143600  8421721 /lib64/ld-2.5.so

oracle  4788 oracle  mem    REG  253,0   1722304  8421722 /lib64/libc-2.5.so

oracle  4788 oracle  mem    REG  253,0    615136  8421739 /lib64/libm-2.5.so

oracle  4788 oracle  mem    REG  253,0     23360  8421607 /lib64/libdl-2.5.so

oracle  4788 oracle  mem    REG  253,0    145824  8421724 /lib64/libpthread-2.5.so

oracle  4788 oracle  mem    REG  253,0    114352  8421738 /lib64/libnsl-2.5.so

oracle  4788 oracle  mem    REG  253,0     53880  8421403 /lib64/libnss_files-2.5.so

oracle  4788 oracle  mem    CHR    1,5               4603 /dev/zero

oracle  4788 oracle  mem    REG  253,0      3768 10426606 /usr/lib64/libaio.so.1.0.1

oracle  4788 oracle  mem    REG  253,6      1552  7893073 /u01/app/oracle/product/10.2.0/db_1/dbs/hc_epps.dat

oracle  4788 oracle  mem    REG  253,6   3796601  7888182 /u01/app/oracle/product/10.2.0/db_1/lib/libnnz10.so

oracle  4788 oracle  mem    REG  253,6    123345  7885115 /u01/app/oracle/product/10.2.0/db_1/lib/libdbcfg10.so

oracle  4788 oracle  mem    REG  253,6     64041  7887888 /u01/app/oracle/product/10.2.0/db_1/lib/libclsra10.so

oracle  4788 oracle  mem    REG  253,6  11385162  7883147 /u01/app/oracle/product/10.2.0/db_1/lib/libjox10.so

oracle  4788 oracle  mem    REG  253,6    516097  7887854 /u01/app/oracle/product/10.2.0/db_1/lib/libocrutl10.so

oracle  4788 oracle  mem    REG  253,6    691049  7887853 /u01/app/oracle/product/10.2.0/db_1/lib/libocrb10.so

oracle  4788 oracle  mem    REG  253,6    681761  7887852 /u01/app/oracle/product/10.2.0/db_1/lib/libocr10.so

oracle  4788 oracle  mem    REG  253,6      8545  7885226 /u01/app/oracle/product/10.2.0/db_1/lib/libskgxn2.so

oracle  4788 oracle  mem    REG  253,6   1772385  7887887 /u01/app/oracle/product/10.2.0/db_1/lib/libhasgen10.so

oracle  4788 oracle  mem    REG  253,6    177809  7884216 /u01/app/oracle/product/10.2.0/db_1/lib/libskgxp10.so

oracle  4788 oracle    0r   CHR    1,3               4601 /dev/null

oracle  4788 oracle    1r   CHR    1,3               4601 /dev/null

oracle  4788 oracle    2w   REG  253,6      1447  7995467 /u01/app/oracle/admin/epps/bdump/epps_psp0_4788.trc

oracle  4788 oracle    3r   CHR    1,3               4601 /dev/null

oracle  4788 oracle    4r   CHR    1,3               4601 /dev/null

oracle  4788 oracle    5w   REG  253,6       663  1638412 /u01/app/oracle/admin/epps/udump/epps_ora_4784.trc (deleted)

oracle  4788 oracle    6w   REG  253,6     30440  7995465 /u01/app/oracle/admin/epps/bdump/alert_epps.log.20150904 (deleted)

oracle  4788 oracle    7u   REG  253,6         0  6930433 /u01/app/oracle/product/10.2.0/db_1/dbs/lkinstepps (deleted)

oracle  4788 oracle    8w   REG  253,6     30440  7995465 /u01/app/oracle/admin/epps/bdump/alert_epps.log.20150904 (deleted)

oracle  4788 oracle    9u   REG  253,6      1552  7893073 /u01/app/oracle/product/10.2.0/db_1/dbs/hc_epps.dat

oracle  4788 oracle   10r   CHR    1,5               4603 /dev/zero

oracle  4788 oracle   11r   REG  253,6    849408  7887921 /u01/app/oracle/product/10.2.0/db_1/rdbms/mesg/oraus.msb

oracle  4788 oracle   12r   CHR    1,5               4603 /dev/zero

oracle  4788 oracle   13u   REG  253,6      1552  7893073 /u01/app/oracle/product/10.2.0/db_1/dbs/hc_epps.dat

oracle  4788 oracle   14uR  REG  253,6        24  7893074 /u01/app/oracle/product/10.2.0/db_1/dbs/lkEPPS

oracle  4788 oracle   15r   REG  253,6    849408  7887921 /u01/app/oracle/product/10.2.0/db_1/rdbms/mesg/oraus.msb

Check the parent process of the zombie process and find that it corresponds to the PSPO process in ORACLE. I am not sure whether the process can be killed. Therefore, it is safer to restart the server.

References:

Https://en.wikipedia.org/wiki/Zombie_process

Http://linux.alai.net/viewblog.php? Id = 48189