You do a ps -ef and you think is all good ... but perhaps what you see is not exactly what is really running ... This is a simple but effective way to compare the running processes reported by ps with what is into /proc
shell$ ps ax | wc -l shell$ 30 shell$ ls -d /proc/* | grep [0-9]|wc -l shell$ 31 # there is one extra root kit perhaps :)
I had two simple questions:
kill 99 or kill -9 99
shell$ bash &
[2] 29120
shell$ strace kill 29120
execve("/usr/bin/kill", ["kill", "29120"], [/* 23 vars */]) = 0
brk(0) = 0x8849000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=24036, ...}) = 0
mmap2(NULL, 24036, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f1e000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\17K\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1611564, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f1d000
mmap2(0x49b000, 1332676, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x110000
mprotect(0x24f000, 4096, PROT_NONE) = 0
mmap2(0x250000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13f) = 0x250000
mmap2(0x253000, 9668, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x253000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f1c000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f1c6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0x250000, 8192, PROT_READ) = 0
mprotect(0x497000, 4096, PROT_READ) = 0
munmap(0xb7f1e000, 24036) = 0
brk(0) = 0x8849000
brk(0x886a000) = 0x886a000
kill(29120, SIGTERM) = 0
exit_group(0) = ?
from the second line at the bottom i can see that a kill(PID, SIGTERM) was sent to the process and the return code is 0 (meaning success), but does it really happens into the kernel ?! - it will take me a lot more to explain but I found a good article about it at http://www.ibm.com/developerworks/library/l-linux-process-management/Facebook runs a robot that takes email attachments and runs them to solve a puzzle that is posted
at http://www.facebook.com/careers/puzzles.php#!/careers/puzzles.php .
This is what I did to submit the hoppity puzle
shell$ echo 15 > file.txt
shell$ python hoppity.py file.txt
Hoppity
Hohpop
Hoppity
Hoppity
Hohpop
Hoppity
Hop
shell$ cat hoppity.py
#!/usr/bin/env python
import sys
if len(sys.argv) != 2:
print 'run it as ', __file__, 'file.txt # file.txt should contain one unsigned int'
sys.exit(1)
_file=sys.argv[1]
try:
f = open(_file, 'r')
except IOError, ioe:
print "file %s does not exist " % _file
except:
print "can not open file %s" % _file
no = f.read() # assume ONE uint in _file
max = int(no.strip()) + 1
for i in xrange(1,max):
if i % 3 == 0 and i % 5 == 0 :
print 'Hop'
elif i % 3 == 0: print 'Hoppity'
elif i % 5 == 0: print 'Hophop'
try:
f.close()
except:
pass
to actually submit the program - archive it as
mv hoppity.py hoppity && tar cvfz hoppity.tar.gz hoppity.py # the bot doesn't take the extension so you have to cut it offand send an email with the archive attached to 1051962371@fb.com
Sometimes you are logged into a system on different terminals and you want to figure it out what process id you have on a specific terminal. The commands to do so are very simple:
shell$ tty /dev/pts/1 # i'm on pts/1 meaning remote shell$ ps -p $$ PID TTY TIME CMD 10044 pts/1 00:00:00 bash # $$ means current process pid
Sometime you just need to know if a port is open on a remote system. The simplest way to find out if the port is open is to just telnet into the host and the port number.
This should look like:
shell$ telnet localhost 23
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
# let's redo it with the strace enabled.
strace -vo strace.telnet telnet localhost 23
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
# the error is the same but now we do have the strace.telnet file to find more info
shell$ cat strace.telnet
execve("/usr/kerberos/bin/telnet", ["telnet", "localhost", "23"], ["HOSTNAME=localhost.localdomain", "TERM=xterm-color", "SHELL=/bin/bash", "HISTSIZE=1000", "SSH_CLIENT=10.211.55.2 62489 22", "SSH_TTY=/dev/pts/0", "USER=root", "LS_COLORS=no=00:fi=00:di=01;34:l", "MAIL=/var/spool/mail/root", "PATH=/usr/kerberos/sbin:/usr/ker", "INPUTRC=/etc/inputrc", "PWD=/root", "LANG=en_US.UTF-8", "SHLVL=1", "HOME=/root", "LOGNAME=root", "SSH_CONNECTION=10.211.55.2 62489", "LESSOPEN=|/usr/bin/lesspipe.sh %", "G_BROKEN_FILENAMES=1", "_=/usr/bin/strace", "OLDPWD=/usr/src"]) = 0
brk(0) = 0x9c8d000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_dev=makedev(3, 1), st_ino=129997, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=56, st_size=26551, st_atime=2011/04/21-14:46:38, st_mtime=2011/04/21-07:09:59, st_ctime=2011/04/21-07:09:59}) = 0
mmap2(NULL, 26551, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fe5000
close(3) = 0
open("/usr/lib/libkrb4.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0pB(\0004\0\0\0"..., 512) = 512
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fe4000
fstat64(3, {st_dev=makedev(3, 1), st_ino=239248, st_mode=S_IFREG|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=208, st_size=100960, st_atime=2011/04/21-14:46:38, st_mtime=2010/01/12-19:22:52, st_ctime=2011/04/08-04:02:50}) = 0
mmap2(NULL, 117948, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x6d3000
mmap2(0x6ea000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17) = 0x6ea000
mmap2(0x6eb000, 19644, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x6eb000
close(3) = 0
open("/usr/lib/libdes425.so.3", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\354)\0004\0\0\0"..., 512) = 512
fstat64(3, {st_dev=makedev(3, 1), st_ino=236616, st_mode=S_IFREG|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=32, st_size=12816, st_atime=2011/04/21-14:46:38, st_mtime=2010/01/12-19:22:52, st_ctime=2011/04/08-04:02:41}) = 0
mmap2(NULL, 13868, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1d9000
mmap2(0x1dc000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x1dc000
close(3) = 0
.......
.......
fstat64(1, {st_dev=makedev(0, 12), st_ino=2, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=0, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(136, 0), st_atime=2011/04/21-14:46:38, st_mtime=2011/04/21-14:46:38, st_ctime=2011/04/21-04:36:50}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7feb000
write(1, "Trying 127.0.0.1...\r\n", 21) = 21
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_IP, IP_TOS, [16], 4) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(23), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
write(2, "telnet: connect to address 127.0"..., 57) = 57
close(3) = 0
write(2, "telnet: Unable to connect to rem"..., 61) = 61
exit_group(1)
# as you can see there is a lot of information and some i replaced with .....
# the line of interest will be
connect(3, {sa_family=AF_INET, sin_port=htons(23), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
# this tells when the socket is actually trying to connect onto the remote host and had a return code of -1, all after it is just output from the telnet program that formats it very carefully.
A filesystem contains different data structures after is created and one of the most important things that is present is the superblock - because is that important there is more then one superblock.
How to find the superblocks and how to do the filesystem check will be shown bellow.
Since some partitions are labeled will we need to find the associated device of the label. How to look on for the label/device association is to follow.
# this is my /etc/fstab
LABEL=/ / ext3 defaults 1 1
LABEL=/opt /opt ext3 defaults 1 2
LABEL=/tmp /tmp ext3 defaults 1 2
LABEL=/usr /usr ext3 defaults 1 2
LABEL=/home /home ext3 defaults 1 2
LABEL=/logs /logs ext3 defaults 1 2
LABEL=/var /var ext3 defaults 1 2
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
LABEL=SWAP-sda9 swap swap defaults 0 0
# i want to check the partition with label /opt
# first step - find what device is associated with the label /opt
# to do this we use the command e2label
# if you have one or two partitions is as simple as running e2label on those
# i have a few partitions so i made a small chained command
root# for i in `mount | awk '{print $1}' | grep '/'`; do echo -n "$i=" && e2label $i ;done
/dev/hda5=/
/dev/hda8=/tmp
/dev/hda7=/usr
/dev/hda6=/home
/dev/hda3=/logs
/dev/hda2=/var
/dev/hda1=/boot
/dev/hda10=/opt # this is the one I need
# running dumpe2fs
root# dumpe2fs /dev/hda10 |grep 'Backup superblock'
Backup superblock at 32768, Group descriptors at 32769-32769
Backup superblock at 98304, Group descriptors at 98305-98305
Backup superblock at 163840, Group descriptors at 163841-163841
Backup superblock at 229376, Group descriptors at 229377-229377
Backup superblock at 294912, Group descriptors at 294913-294913
Backup superblock at 819200, Group descriptors at 819201-819201
Backup superblock at 884736, Group descriptors at 884737-884737
Backup superblock at 1605632, Group descriptors at 1605633-1605633
# note that you may have a different output
# the number after Backup superblock at is the superblock you want
# run fsck.ext3 or fsck.ext2 ... or any other command for your filesystem (reiser etc)
# first umount the partition
root# umount /opt
# thenn fsck
root# fsck.ext3 -b 32768 /dev/hda10
# after you are done mount back the partition
Problem: you have two hosts that you can access but there is no mechanism
to transfer files between them - no ssh(scp/sftp), no ftp etc.
How to do it ?!
Solution: use nc and tar/dd/echo ...
# transfer by tar of a directory |destination_host| |source_host| nc -l 9000 | tar xvf - tar cvf - /my_dir | nc destination_host 9000 # we listen on all interfaces # we tar my_dir to STDOUT(-) and all is piped to # on port 9000, all that comes in # nc that will connect on destination_host on port 9000 # is piped to tar xvf (will extract) # and will transfer what ever is given # - means take the STDIN
# transfer by dd of a partition /dev/sda3 |destination_host| |source_host| nc -l 9000 | dd of=/backup_device dd if=/dev/sda3 | nc destination_host 9000 # we listen on all interfaces # we dd in /dev/sda3 (reading) all is piped to # on port 9000, all that comes in # nc that will connect on destination_host on port 9000 # is piped to dd and dd will write it # and will transfer what ever is given # all to /backup_device
As you can see this becomes very useful because you can open the destination port as you need it
and even transfer from a block device as /dev/sda3 in the example. Once the transfer is done
on the destination host nc stops to listen for the port you asked(there is a switch to make it
to continue listening -k, this won't work -l however).