Bugtraq mailing list archives
Re: Possible Denial of Service: SSH
From: jimd () starshine org (Jim Dennis)
Date: Wed, 18 Dec 1996 04:21:03 -0800
On Tue, 17 Dec 1996, Sean B. Hamor wrote:It seems that when my Windows 95 laptop establishes a connection to my Linux box via SSH and the PPP connection drops, all processes that were being controlled by the inbound SSH connection get zombied out. If I establish a connection and exit/drop the SSH connection, the Linux box recovers fine. This problem only occurs when the PPP connection drops.Anyway...I'd be interested in seeing if anyone else has had this problem (or if it's a known bug). The attack failed against a Linux 1.2.13 box running sshd 1.2.17.We have the same thing happening here. We have some users who use some flaky TV cable connection to run ppp to their university and it often disconnects. We then end up with sshd zombies as well. however, killing off the main sshd will also get rid of the zombies for you (Dont try this from remote, if your logged in using ssh :) Paul Wouters
In general any zombie can be killed by killing off its parent. The reason zombies exist is to provide the kernel with a place to store a program's exit status until the parent requests it (issues a wait() call). When a parent dies (or exits) then all of it's children (now "orphans") are adopted by init (process #1). 'init' regularly checks the status of all its children (adopted or otherwise) and wait()'s on any zombies (discarding any exit status -- since there's no parent to care how the child died). Obviously if you kill the process that is responsible for your communications with a server (like sshd or telnetd) you'd kill your own connection). However, you should be able to do any of the following: # (sleep 60; kill -9 $zombies_parent ) & exit # at $NOW_plus_a_minute << FOO >shutdown -r now >FOO # exit # shutdown -r 60 & exit or any reasonable variation of these. Recently my wife (a system administrator and webmistress) was told that the company was going to shutdown all power to the building at Midnight on a Friday (Saturday morning actually). Naturally she didn't want to go in then. So she did the natural thing: echo 'shutdown -h now' | at 23:50 ... on each of the boxes she handles. (only bug was the Netscape Commerce Server -- which requires an administrative password to start -- similar to your PGP keyphrase and for similar reasons. She solved that by ssh'ing in from home, chaining through another ssh to that box, and starting the https)
Current thread:
- Possible Denial of Service: SSH Sean B. Hamor (Dec 17)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Toomas Soome (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Sven Gestegard (Dec 18)
- Exploit for ppp bug (FreeBSD 2.1.0). Leshka Zakharoff (Dec 18)
- CIAC Bulletin H-17: cron/crontab Buffer Overrun Vulnerabilities David Crawford (Dec 19)
- NT vulnerable to attack on CPU Aleph One (Dec 19)
- CERT/AUCERT Mycroft (Dec 19)
- Re: CERT/AUCERT itudps (Dec 19)
- Re: CERT/AUCERT Aleph One (Dec 19)
- Re: CERT/AUCERT Theo de Raadt (Dec 19)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)