[3813] in bugtraq
Re: Possible Denial of Service: SSH
daemon@ATHENA.MIT.EDU (Jim Dennis)
Wed Dec 18 13:20:02 1996
Date: Wed, 18 Dec 1996 04:21:03 -0800
Reply-To: Jim Dennis <jimd@starshine.org>
From: Jim Dennis <jimd@starshine.org>
X-To: paul@xtdnet.nl
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.93.961218090537.19430B-100000@bean.xtdnet.nl> from
"Paul Wouters" at Dec 18, 96 09:08:17 am
> On Tue, 17 Dec 1996, Sean B. Hamor wrote:
>
>> It seems that when my Windows 95 laptop establishes a connection to my Linux
>> box via SSH and the PPP connection drops, all processes that were being
>> controlled by the inbound SSH connection get zombied out. If I establish a
>> connection and exit/drop the SSH connection, the Linux box recovers fine.
>> This problem only occurs when the PPP connection drops.
>
>> Anyway...I'd be interested in seeing if anyone else has had this problem (or
>> if it's a known bug). The attack failed against a Linux 1.2.13 box running
>> sshd 1.2.17.
>
> We have the same thing happening here. We have some users who use
> some flaky TV cable connection to run ppp to their university and
> it often disconnects. We then end up with sshd zombies as well.
> however, killing off the main sshd will also get rid of the zombies
> for you (Dont try this from remote, if your logged in using ssh :)
>
> Paul Wouters
In general any zombie can be killed by killing off its
parent. The reason zombies exist is to provide the kernel
with a place to store a program's exit status until the
parent requests it (issues a wait() call).
When a parent dies (or exits) then all of it's children
(now "orphans") are adopted by init (process #1). 'init'
regularly checks the status of all its children (adopted
or otherwise) and wait()'s on any zombies (discarding
any exit status -- since there's no parent to care how the
child died).
Obviously if you kill the process that is responsible for
your communications with a server (like sshd or telnetd)
you'd kill your own connection).
However, you should be able to do any of the following:
# (sleep 60; kill -9 $zombies_parent ) & exit
# at $NOW_plus_a_minute << FOO
>shutdown -r now
>FOO
# exit
# shutdown -r 60 & exit
or any reasonable variation of these.
Recently my wife (a system administrator and webmistress)
was told that the company was going to shutdown all
power to the building at Midnight on a Friday (Saturday
morning actually). Naturally she didn't want to go
in then. So she did the natural thing:
echo 'shutdown -h now' | at 23:50
... on each of the boxes she handles.
(only bug was the Netscape Commerce Server -- which requires
an administrative password to start -- similar to your
PGP keyphrase and for similar reasons. She solved that by
ssh'ing in from home, chaining through another ssh to that
box, and starting the https)
