Zombie (defunct) Process

Zombie or defunct processes are dead processes that have completed the execution, have released all CPU, memory resources, but still has an entry in the process table.

Usually, when a child or sub-process finishes it’s task and exits, it’s parent is supposed to call the “wait” system call and get the status of the process. So, until the parent process don’t check for the child’s exit status, the process is a zombie process waiting for it’s parent to check it’s status.

You can use ‘top’ or ‘ps aux’ command to check for any zombie processes. All the processes which are having “z” in their Stat column are Zombie processes.

In order to kill Zombie processes, you can send a SIGCHLD signal to the parent process of zombie which will instruct parents to reap their zombie children.

kill -s SIGCHLD {PPID}

In case the above command doesn’t work, then the last option you will have is to kill the parent process.

You can easily find out the parent’s process ID with the following command:

ps aux -eo ppid | grep {zombie_process_id}
kill -9 {PPID}

Once zombie process loses it’s parent process, it becomes orphan and is adopted by “init” process. Init periodically executes the wait system call to reap any zombies with init as parent

Orphan Process

Orphaned processes are processes whose parent process is dead. Immediately, re-parenting occurs where ‘init’ process adopts the orphaned once. Though re-parenting occurs, the process still remains Orphan as the parent which created the process is dead.

In order to find any orphaned process, issue the following command:

[root@nagios ~]# ps -elf | head -1; ps -elf | awk '{if ($5 == 1 && $3 != "root") {print $0}}'| head
5 S dbus       872     1  0  80   0 -   742 -      May16 ?        00:00:00 dbus-daemon --system
5 S 68         901     1  0  80   0 -  1466 -      May16 ?        00:00:00 hald
1 S nagios   25443     1  0  80   0 -  3630 -      Jun06 ?        00:47:34 /usr/local/nagios/bin/nagios -d /usr/local/nagios/etc/nagios.cfg

You can kill the orphan process as follows:

kill -15 {PID}

If the above doesn’t work, you can try with -9 option as follows:

kill -9 {PID}

Parsing Secure logs

This is for my own reference; parsing security log and checking on IP’s that were trying to break-in our server.

cat /home/soj/log_imp/secure.1 | awk '$6 ~ /Failed/ {print $6,$1,$2,$3,$9$10,$11,$14$16,$13}' | sed -e 's/user//' | sed -e 's/invalid//' | sed -e 's/port//' | sed -ne 's/ssh2/Trying to Break-in via Shell access/p'