Article ID: 114593, created on Aug 16, 2012, last review on Aug 12, 2014

  • Applies to:
  • Virtuozzo containers for Linux

Symptoms

A container on Parallels Virtuozzo Containers for Linux 4.7 hangs in the "stopping" state and becomes inoperable.
Several ttymon processes are running inside of the container.
[root@myserver ~]# vzctl stop 1234
Stopping the Container ...
Set up iolimit: 0
Set up iopslimit: 0
Unable to stop the Container; operation timed out
[root@myserver ~]# vzps -E 1234 axflww
F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
1     0 38053     2  20   0     0    0 kthrea S    ?          0:00 [kthreadd/1234]
1     0 38054 38053  20   0     0    0 worker S    ?          0:00  \_ [khelper/1234]
4     0 38051     1  20   0     0    0 wait   Ss   ?          0:02 [init]
5     0 54095 38051  20   0  1876  300 -      R    ?        5531:59  \_ ttymon tymon
5     0 42481 38051  20   0  1876  300 -      R    ?        4913:42  \_ ttymon tymon
5     0 33878 38051  20   0  1876  300 -      R    ?        4748:42  \_ ttymon tymon
5     0 62185 38051  20   0  1876  312 -      R    ?        1064:38  \_ ttymon tymon

Cause

Most likely, there were attempts to compromise the container using an SHV5 rootkit.

Resolution

To unlock the container, simply connect to the "ttymon" processes with the "strace" utility using PIDs from the "vzps" output:
~# vzps -E $CTID axflww| grep ttymon

~# strace -p $TTYMON_PID

In order to verify and fix the compromised container, follow the steps outlined in these articles:
112599 How do I determine if my container is hacked/compromised?
1012 My container is hacked/compromised. How do I repair or reinstall it?

e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f

Email subscription for changes to this article
Save as PDF