SIGTERM vs SIGKILL

While examining a server, I noticed a process reinfecting the whole system no matter how many times it was fixed.

All attempts to stop the process with the standard "kill [PID]", which sends a SIGTERM signal, were unsuccessful.

Resorting to 'kill -9'

When other options failed, I used kill -9 [PID] to send a SIGKILL.

This signal terminated the process immediately.

Beyond SIGTERM and SIGKILL

It's important to know other signals too:

SIGINT (2): Stops the process but allows cleanup. Usually generated by CTRL+C.

SIGHUP (1): Used to restart services, commonly triggered with kill -1 [PID].

SIGQUIT (3): Stops the process and generates a core dump for debugging, triggered with kill -3 [PID].

SIGSTOP (17,19,23): Pauses the process, allowing for resumption with SIGCONT.

SIGCONT (18,20,24): Resumes a paused process, providing control over process flow.

Using the right "kill" command can be a real lifesaver especially when investigating security incidents.