Linux botnets and linux botnets
Zombie process concept
Zombie process (Zombie process) generally refers to the processes that have been terminated, but still retain some information, waiting for its parent process to collect the dead. written form: A process is finished, but its parent process is not waiting (calling wait/waitpid), then it will become a zombie process. Run the ps command to view its defunct flag. A zombie process is a dead process, but it still occupies a slot in the processs table ).
However, if the parent process of the process has ended, the process will not become a zombie process. Because at the end of each process, the system will scan all processes running in the current system to see if any process is a child process of the process that has just ended. If yes, the Init process takes over the process and becomes its parent process to ensure that each process has a parent process. The Init process automatically wait its sub-processes, so all processes taken over by Init will not become zombie processes.
The Process status corresponding to ZOMBIE includes RUNNING, UNINTERRUPTABLE, INTERRUPTABLE, and STOPPED.
Wikipedia about botnets:
On Unix and Unix-like computer operating systems, a zombie process or defunct process is a process that has completed execution (via the exit system call) but still has an entry in the process table: it is a process in the "Terminated state ". this occurs for child processes, where the entry is still needed to allow the parent process to read its child's exit status: once the exit status is read via the wait system call, the zombie's entry is removed from the process table and it is said to be "reaped ". A child process always first becomes a zombie before being removed from the resource table. in most cases, under normal system operation zombies are immediately waited on by their parent and then reaped by the system-processes that stay zombies for a long time are generally an error and cause a resource leak.
The term zombie process derives from the common definition of zombie-an undead person. in the term's metaphor, the child process has "died" but has not yet been "reaped ". also, unlike normal processes, the kill command has no effect on a zombie process.
Zombie processes shocould not be confused with orphan processes: an orphan process is a process that is still executing, but whose parent has died. these do not remain as zombie processes; instead, (like all orphaned processes) they are adopted by init (process ID 1), which waits on its children. the result is that a process that is both a zombie and an orphan will be reaped automatically.
View zombie Processes
View the zombie processes in the system. There are many methods, such as top commands and ps commands.
In addition, the use of ps and grep commands can also view zombie processes, of course, there are many forms, as shown below.
[root@mylnx01 ~]# ps aux | grep Zs | grep -v grep
oracle 2002 0.0 0.0 0 0 ? Zs 02:44 0:00 [sh] <defunct>
oracle 2013 0.0 0.0 0 0 ? Zs 02:46 0:00 [sh] <defunct>
[root@mylnx01 ~]#
[root@mylnx01 ~]# ps -ef | grep defunct
oracle 2002 4788 0 02:44 ? 00:00:00 [sh] <defunct>
oracle 2013 4788 0 02:46 ? 00:00:00 [sh] <defunct>
[root@mylnx01 ~]#
[root@mylnx01 ~]# ps -A -ostat,ppid,pid,cmd | grep -e '^[Zz]'
Zs 4788 2002 [sh] <defunct>
Zs 4788 2013 [sh] <defunct>
[root@mylnx01 ~]#
Command to view the number of zombie Processes
[root@mylnx01 ~]# ps -ef | grep defunct | grep -v grep | wc -l
2
BotNet detection and removal
Killing a zombie process is sometimes a headache. A zombie process sometimes cannot be killed, and sometimes cannot be killed.
There are two methods to kill a botnet:
1: Find the parent process of the defunct zombie process and kill the parent process of the process. The defunct process will automatically disappear.
2: restart the server.
View and kill botnets
ps -ef | grep defunct | grep -v grep | awk {print "kill -9 " $2,$3}
In general, it is not recommended to kill these zombie processes in a reckless manner. Check the specific cause and then perform the killing based on the actual situation, as shown below.
[root@mylnx01 ~]# ps -ef | grep defunct
oracle 2002 4788 0 02:44 ? 00:00:00 [sh] <defunct>
oracle 2013 4788 0 02:46 ? 00:00:00 [sh] <defunct>
root 12348 10441 0 12:18 pts/11 00:00:00 grep defunct
[root@mylnx01 ~]# cat /proc/2002/stack
[<ffffffff8105b9f5>] do_exit+0x67d/0x696
[<ffffffff8105baae>] sys_exit_group+0x0/0x1b
[<ffffffff8105bac5>] sys_exit_group+0x17/0x1b
[<ffffffff81011db2>] system_call_fastpath+0x16/0x1b
[<ffffffffffffffff>] 0xffffffffffffffff
[root@mylnx01 ~]# cat /proc/2013/stack
[<ffffffff8105b9f5>] do_exit+0x67d/0x696
[<ffffffff8105baae>] sys_exit_group+0x0/0x1b
[<ffffffff8105bac5>] sys_exit_group+0x17/0x1b
[<ffffffff81011db2>] system_call_fastpath+0x16/0x1b
[<ffffffffffffffff>] 0xffffffffffffffff
[root@mylnx01 ~]# cat /proc/4788/stack
[<ffffffff811de86e>] sys_semtimedop+0x68b/0x7e7
[<ffffffff81011db2>] system_call_fastpath+0x16/0x1b
[<ffffffffffffffff>] 0xffffffffffffffff
[root@mylnx01 ~]#
[root@mylnx01 ~]# lsof -p 4788
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
oracle 4788 oracle cwd DIR 253,6 4096 7880901 /u01/app/oracle/product/10.2.0/db_1/dbs
oracle 4788 oracle rtd DIR 253,0 4096 2 /
oracle 4788 oracle txt REG 253,6 104559054 7884256 /u01/app/oracle/product/10.2.0/db_1/bin/oracle
oracle 4788 oracle DEL REG 0,4 3211268 /SYSVdf6790e8
oracle 4788 oracle mem REG 253,0 143600 8421721 /lib64/ld-2.5.so
oracle 4788 oracle mem REG 253,0 1722304 8421722 /lib64/libc-2.5.so
oracle 4788 oracle mem REG 253,0 615136 8421739 /lib64/libm-2.5.so
oracle 4788 oracle mem REG 253,0 23360 8421607 /lib64/libdl-2.5.so
oracle 4788 oracle mem REG 253,0 145824 8421724 /lib64/libpthread-2.5.so
oracle 4788 oracle mem REG 253,0 114352 8421738 /lib64/libnsl-2.5.so
oracle 4788 oracle mem REG 253,0 53880 8421403 /lib64/libnss_files-2.5.so
oracle 4788 oracle mem CHR 1,5 4603 /dev/zero
oracle 4788 oracle mem REG 253,0 3768 10426606 /usr/lib64/libaio.so.1.0.1
oracle 4788 oracle mem REG 253,6 1552 7893073 /u01/app/oracle/product/10.2.0/db_1/dbs/hc_epps.dat
oracle 4788 oracle mem REG 253,6 3796601 7888182 /u01/app/oracle/product/10.2.0/db_1/lib/libnnz10.so
oracle 4788 oracle mem REG 253,6 123345 7885115 /u01/app/oracle/product/10.2.0/db_1/lib/libdbcfg10.so
oracle 4788 oracle mem REG 253,6 64041 7887888 /u01/app/oracle/product/10.2.0/db_1/lib/libclsra10.so
oracle 4788 oracle mem REG 253,6 11385162 7883147 /u01/app/oracle/product/10.2.0/db_1/lib/libjox10.so
oracle 4788 oracle mem REG 253,6 516097 7887854 /u01/app/oracle/product/10.2.0/db_1/lib/libocrutl10.so
oracle 4788 oracle mem REG 253,6 691049 7887853 /u01/app/oracle/product/10.2.0/db_1/lib/libocrb10.so
oracle 4788 oracle mem REG 253,6 681761 7887852 /u01/app/oracle/product/10.2.0/db_1/lib/libocr10.so
oracle 4788 oracle mem REG 253,6 8545 7885226 /u01/app/oracle/product/10.2.0/db_1/lib/libskgxn2.so
oracle 4788 oracle mem REG 253,6 1772385 7887887 /u01/app/oracle/product/10.2.0/db_1/lib/libhasgen10.so
oracle 4788 oracle mem REG 253,6 177809 7884216 /u01/app/oracle/product/10.2.0/db_1/lib/libskgxp10.so
oracle 4788 oracle 0r CHR 1,3 4601 /dev/null
oracle 4788 oracle 1r CHR 1,3 4601 /dev/null
oracle 4788 oracle 2w REG 253,6 1447 7995467 /u01/app/oracle/admin/epps/bdump/epps_psp0_4788.trc
oracle 4788 oracle 3r CHR 1,3 4601 /dev/null
oracle 4788 oracle 4r CHR 1,3 4601 /dev/null
oracle 4788 oracle 5w REG 253,6 663 1638412 /u01/app/oracle/admin/epps/udump/epps_ora_4784.trc (deleted)
oracle 4788 oracle 6w REG 253,6 30440 7995465 /u01/app/oracle/admin/epps/bdump/alert_epps.log.20150904 (deleted)
oracle 4788 oracle 7u REG 253,6 0 6930433 /u01/app/oracle/product/10.2.0/db_1/dbs/lkinstepps (deleted)
oracle 4788 oracle 8w REG 253,6 30440 7995465 /u01/app/oracle/admin/epps/bdump/alert_epps.log.20150904 (deleted)
oracle 4788 oracle 9u REG 253,6 1552 7893073 /u01/app/oracle/product/10.2.0/db_1/dbs/hc_epps.dat
oracle 4788 oracle 10r CHR 1,5 4603 /dev/zero
oracle 4788 oracle 11r REG 253,6 849408 7887921 /u01/app/oracle/product/10.2.0/db_1/rdbms/mesg/oraus.msb
oracle 4788 oracle 12r CHR 1,5 4603 /dev/zero
oracle 4788 oracle 13u REG 253,6 1552 7893073 /u01/app/oracle/product/10.2.0/db_1/dbs/hc_epps.dat
oracle 4788 oracle 14uR REG 253,6 24 7893074 /u01/app/oracle/product/10.2.0/db_1/dbs/lkEPPS
oracle 4788 oracle 15r REG 253,6 849408 7887921 /u01/app/oracle/product/10.2.0/db_1/rdbms/mesg/oraus.msb
Check the parent process of the zombie process and find that it corresponds to the PSPO process in ORACLE. I am not sure whether the process can be killed. Therefore, it is safer to restart the server.
References:
Https://en.wikipedia.org/wiki/Zombie_process
Http://linux.alai.net/viewblog.php? Id = 48189