Hi Daniel, Hi Chris
I've exactly the same problem on a Sun 8 SPARC machine. Practically it
causes the machine to stop working, it eats up the file descriptor
table
like a forkbomb. Running a non-bash-buildin command is not possible
anymore (because it can't fork the process). This is why i had to do
the
my_ls crap (see below).
(machine:root) # uname -a
SunOS machine 5.8 Generic_117350-35 sun4u sparc SUNW,Sun-Blade-100
(machine:root) # ./ossec-control stop
ossec-monitord not running ..
ossec-logcollector not running ..
ossec-syscheckd not running ..
ossec-analysisd not running ..
ossec-maild not running ..
ossec-execd not running ..
OSSEC HIDS v1.5 Stopped
(machine:root) # date
Thu May 22 12:18:52 MEST 2008
(machine:root) # ./ossec-control start
Starting OSSEC HIDS v1.5 (by Daniel B. Cid)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
0
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
1
(machine:root) # date
Thu May 22 12:19:33 MEST 2008
(machine:root) # /usr/ucb/ps aux |grep defunct
ossecm 2661 0.0 0.0 0 0 Z 0:00
<defunct>
(machine:root) # ptree 2661
(machine:root) # /usr/ucb/ps aux |grep defunct
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
bash: fork: Resource temporarily unavailable
(machine:root) # date
bash: fork: Resource temporarily unavailable
(machine:root) # cd /var/ossec/var/run/
(machine:root) # ls
bash: fork: Resource temporarily unavailable
(machine:root) # my_ls() { while [ $# -ne 0 ] ; do echo "$1" ; shift ;
done ; }
(machine:root) # my_ls *
ossec-analysisd-2635.pid
ossec-maild-2626.pid
ossec-syscheckd-2643.pid
ossec-logcollector-2639.pid
ossec-monitord-2647.pid
(machine:root) # kill 2635
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
bash: fork: Resource temporarily unavailable
(machine:root) # kill 2639
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
bash: fork: Resource temporarily unavailable
(machine:root) # kill 2626
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
bash: fork: Resource temporarily unavailable
(machine:root) # kill 2647
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
bash: fork: Resource temporarily unavailable
(machine:root) # kill 2643
(machine:root) # /usr/ucb/ps aux |grep defunct|wc -l
7044
(machine:root) # /usr/ucb/ps aux |wc -l
100
(machine:root) # date
Thu May 22 14:48:48 MEST 2008
(wsscott:root) # /usr/ucb/ps aux |grep defunct|wc -l
0
(wsscott:root) # date
Thu May 22 14:50:30 MEST 2008
I tried later to figure out which process causes the "defuncts":
(machine:root) # /usr/ucb/ps aux |grep defunct
...
root 29990 0.0 0.0 0 0 Z 0:00
<defunct>
root 29992 0.0 0.0 0 0 Z 0:00
<defunct>
root 29994 0.0 0.0 0 0 Z 0:00
<defunct>
root 29996 0.0 0.0 0 0 Z 0:00
<defunct>
root 29998 0.0 0.0 0 0 Z 0:00
<defunct>
(machine:root) # ptree 29996
17765 /var/ossec/bin/ossec-syscheckd
29996 <defunct>
Unfortunately i have no time at the moment to truss this - maybe
later.
Hope this helps.
Cheers,
Matthias
