How to find zombie processes on linux

My NAGIOS monitor alerted me that of my dedicated server has 10 Zombie processes, how to find Zombie processes via command line on Linux especially CentOS?

 ps aux | awk '{ print $8 " " $2 }' | grep -w Z 

So it returns state (Z = Zombie) and the process id (PID)

root@sirius [~]#  ps aux | awk '{ print $8 " " $2 }' | grep -w Z
Z 4399
Z 4435
Z 4868
Z 5143
Z 5400
Z 5834
Z 7584
Z 11943
Z 16286
Z 24365

Technically, you cannot kill a zombie process since its already dead but the entry in the process table is not removed because the parent will access the result via the PID in the process table.

How to find specific files and send alerts

Maintaining a shared hosting server is a full time job but tools and proper checks and balances can help make this burden lot less. I manage a shared hosting server for one of my friends and numerous times the scripts that people have installed over on their websites have vulnerabilities and hackers exploit it to upload stuff that mass-email or do other nasty stuff. Luckily, most of these exploits have common patterns like files names or other signatures that make them traceable (most of the time the so called hackers are just kiddy scripts)

Create a file and put this in it

#!/bin/bash
find /home -name 'paypal.com*' | mail -s '[Woodcrest] Phishing Alert!' me@mydomain.com
find /home -name 'rout.php' | mail -s '[Woodcrest] Phishing Alert - Mail Bomber!' me@mydomain.com

This is a small script that finds specific named scripts in the /home directory (mostly cPanel servers). You can put this in the crontab to do a scan every x hours or so.

Have any questions or comments? feel free to post them below!

package-cleanup: command not found

I tried to do package-cleanup and found this

root@ns1 [~]# package-cleanup --problems
-bash: package-cleanup: command not found

If I was on Ubuntu, I would have done “apt-get install package-cleanup” but it does not work that way on CentOS, its actually available in yum-utils package, install it by typing

yum install yum-utils

Enjoy!!

How to configure repos to not overwrite base packages?

The greatest fear with adding additional and especially third party repos such as EPEL (we did a blog post on how to install EPEL earlier) is that it MAY overwrite base packages and bring the system to an unstable state.

We can fix this issue by installing Yum Priorities plugin

on CentOS 5:

yum install yum-priorities

on CentOS 4 or CentOS 6:

yum install yum-plugin-priorities

Then make sure that the plugin is enabled

nano /etc/yum/pluginconf.d/priorities.conf

Now there are two ways to do it, either set HIGHEST priority to CentOS repos OR set lowest priority to other repos. This is done by adding the line

# N=1 highest priority
# N=99 lowest priority
priority=N

In this blog post, I will set 1 as the priority (highest) for my CentOS Base repo

nano /etc/yum.repos.d/CentOS-Base.repo

So that it becomes

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
priority=1

#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
priority=1
...
...
...

Other repos do not need updating since I have assigned CentOS repos with the highest priority. The default priority for repositories is 99.

How to change time and/or timezone in CentOS

Generically, I use this

Change directory to /etc

[root@testbed ~]# cd /etc

Now create a symbolic link (aka symlink) to the timezone e.g. Asia/Karachi (for Pakistan standard time)

[root@testbed etc]# ln -sf /usr/share/zoneinfo/Asia/Karachi localtime
[root@testbed etc]# date
Mon Jan 16 19:26:52 PKT 2012

Please note that the timezone is following a directory-structure so if you want EST time, you should use

[root@testbed etc]# ln -sf /usr/share/zoneinfo/EST localtime

How to disable SELinux

SELINUX is a security feature on CentOS but some software such as SolusVM will require that SELINUX be disabled

Installation log : /tmp/install.log

 Add this slave to your SolusVM master using the following details:

 ID Key .......... : ABC
 ID Password ..... : XYZ

IMPORTANT!! You need to setup a network bridge before you can use KVM on this server.
 Please see the following link: http://wiki.solusvm.com/index.php/KVM_Network_Bridge_Setup

 Please set SELINUX=disabled in /etc/selinux/config before rebooting.


Thankyou for choosing SolusVM.

The solution?

1) Edit /etc/selinux/config using your favourite editor

[root@kvm ~]# nano /etc/selinux/config

and set SELINUX=disabled

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

2) and don’t forget to reboot your system

Freshclam daemon not running

Normally, I have two things on every Linux box so that I know whats going on

  1. NAGIOS monitoring (nrpe)
  2. Logwatch

Today, I got something in my logwatch email and it was strange because just the other day, I upgraded the clamav to latest version using epel reo.

 --------------------- clam-update Begin ------------------------

 The ClamAV update process (freshclam daemon) was not running!
 If you no longer wish to run freshclam, deleting the freshclam.log
 file will suppress this error message.

 ---------------------- clam-update End -------------------------

It appears that the latest version has some permission issues on the log file because when I try to run freshclam on command line I get this

root@cpanel [~]# freshclam
ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

The solution?

The solution is very simple :) just do the following

touch /var/log/clamav/freshclam.log
chown clamav /var/log/clamav/freshclam.log
chmod 666 /var/log/clamav/freshclam.log

and after that, run freshclam (the service that updates the virus-definition for clamav)

root@cpanel [~]# freshclam

Installing EPEL repo

Installing EPEL repo in CentOS is simple, if you do not know what EPEL is, read more about it here.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

To configure epel or disable it use

nano /etc/yum.repos.d/epel.repo

and then switch the config enabled to 0 (or vice versa)

Don’t forget to do the following

yum clean all

Find memory consumed by currently running processes on Linux?

I always had the question (when I am running plenty of scripts on a linux box as to what is eating up all the memory? Finding memory consumed by current running processes in your favorite linux distro. Luckily, I found a great Python utility (scriplet to be exact).

Continue reading