[TriLUG] kill signals
Paul D. Boyle
Thu, 14 Feb 2002 12:43:47 -0500 (EST)
James Manning wrote:
> [Jon Carnes]
> > kill -9 tells the process to die, die, die immediately.
> Actually, the process doesn't get SIGKILL - it doesn't have the option
> of, say, catching and ignoring it, but that's a implementation issue.
> > I believe that "kill -6" is the default signal, so when you "kill" a process
> > you are actually sending it signal #6 (SIGABRT - signal to abort).
> no, 15 (TERMinate) is the default:
The default behavior for SIGABRT is for the process to abort() and
dump core. Using this for routine sysadmin tasks for killing itinerant
processes can leave a lot of 'bodies' laying on your disk. SIGTERM is
the preferred way terminating processes.
One useful thing to do with SIGABRT I have found is that if a box gets
cracked and the cracker has left proecesses running (e.g. a packet
sniffer, or a passwd interceptor of some sort), you can kill the process
with SIGABRT, leaving a core file. You can then use the 'strings' command
along with 'more' or 'grep' and friends to do a little forensics on
the core. With some luck, the cracker will have hard coded hostnames or
other incriminating information (like the location of files, you can then
search out) into the executable. It doesn't give that much information,
but it can provide some clues, which is better than having no clues.
Paul D. Boyle | email@example.com
Director, X-ray Structural Facility | phone: (919) 515-7362
Department of Chemistry - Box 8204 | FAX: (919) 515-5079
North Carolina State University |
Raleigh, NC, 27695-8204