Parsing Linux operating system botnets

Detailed analysis of Linux operating system botnets, in the fork ()/execve () process, assume that the parent process still exists when the child process ends, and the parent process fork () previously, the SIGCHLD signal processing function was not installed and waitpid () was called to wait for the child process to end, and the signal was not explicitly ignored. Then the child process becomes a zombie process and cannot end normally, in this case, even if the root identity is kill

In the fork ()/execve () process, assume that the parent process still exists at the end of the Child process, and the parent process fork () has not installed the SIGCHLD signal processing function to call waitpid () when the sub-process ends and the signal is not explicitly ignored, the sub-process becomes a zombie and cannot end normally. In this case, even the root identity kill-9 cannot kill the zombie process. The remedy is to kill the parent process of the zombie process (the parent process of the zombie process must exist). The zombie process becomes an "orphan process" and passes the process init to process 1, init is always responsible for cleaning up zombie processes.

A zombie process means that the parent process has exited, and the dead process becomes a zombie process without being accepted by the process.

How to generate botnets:

When a process calls the exit command to end its own life, it is not actually destroyed, but it leaves a data structure called Zombie (the system calls exit, it is used to exit a process, but it is only limited to converting a normal process into a zombie process and cannot completely destroy it ). In the Linux Process status, zombie Processes

It has abandoned almost all the memory space, no executable code, and cannot be scheduled. It only keeps a location in the process list, record the rollback of the process

In addition, zombie processes no longer occupy any memory space. It requires its parent process to collect dead parts for it. If the parent process does not have the SIGCHLD message installed

The number processing function calls wait or waitpid () to wait for the sub-process to end, and does not explicitly ignore the signal, it will remain zombie. If the parent process is finished, the init process automatically

It will take over the sub-process and collect the corpse for it. It can still be cleared. However, if the parent process is a loop and does not end, the child process will remain zombie, which is why many zombie processes sometimes exist in the system.

How to view botnets:

Using the command ps, we can see that the process marked as Z is a zombie process.

How to clear zombie processes:

1. Rewrite the parent process and send it to the dead after the child process dies. The specific method is to take over the SIGCHLD signal. After a child process dies, it sends a SIGCHLD signal to the parent process. After receiving the signal, the parent process executes the waitpid () function to collect the child process. This is based on the principle that even if the parent process does not call wait, the kernel will send SIGCHLD messages to it, even though the default processing is ignored. If you want to respond to this message, you can set a processing function.

2. Kill the parent process. After the death of the parent process, the zombie process becomes an "orphan process". After it passes through to the init process on process 1, init will always be responsible for cleaning up the zombie process. All the zombie processes it generates will also disappear.

========================================================== ===

In Linux

Ps auwx

Botnets discovered

A all w/tty, including other users all windows and terminals, including processes of other users

U user-oriented for users (user friendly)

-W, w wide output wide format output

X processes w/o controlling ttys

It will be marked after the zombie Process

Ps axf

View the process tree and list the real processes in a tree

Ps axm

The thread is listed. in linux, the process and thread are unified. They are two lightweight processes.

Ps axu

Displays the detailed status of a process.

========================================================== ===

Killall

Kill-15

Kill-9

Generally, defunct processes cannot be killed.

If kill-15 is used, more zombie processes will be generated after kill-9.

Kill-kill pid

Fuser-k pid

You can consider killing the parent process,

Kill-9 his parent process

A Process that has been terminated but has not been well processed by its parent Process (getting information about the final child Process and releasing the resources it still occupies) is called a dead Process (Zombie Process ).