From owner-freebsd-questions  Sat Dec 23 16:51:30 2000
From owner-freebsd-questions@FreeBSD.ORG  Sat Dec 23 16:51:27 2000
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1])
	by hub.freebsd.org (Postfix) with ESMTP id 2C09737B400
	for <questions@FreeBSD.ORG>; Sat, 23 Dec 2000 16:51:26 -0800 (PST)
Received: from hades.hell.gr (patr530-b030.otenet.gr [195.167.121.158])
	by athserv.otenet.gr (8.10.1/8.10.1) with ESMTP id eBO0pIh16059;
	Sun, 24 Dec 2000 02:51:18 +0200 (EET)
Received: (from charon@localhost)
	by hades.hell.gr (8.11.1/8.11.1) id eBNK0tF89463;
	Sat, 23 Dec 2000 22:00:55 +0200 (EET)
Date: Sat, 23 Dec 2000 22:00:54 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Tim McMillen <timcm@umich.edu>
Cc: Raymond Hicks <rayhicks@UU.NET>,
	"'Jonathan Fosburgh'" <syjef@mail.mdanderson.org>,
	"'Gerald T. Freymann'" <freymann@eagle.ca>,
	"'Questions'" <questions@FreeBSD.ORG>
Subject: Re: Hacker history file - OUCH
Message-ID: <20001223220053.F48060@hades.hell.gr>
References: <003e01c06937$17914cd0$d7902799@sysenglt112> <Pine.SOL.4.10.10012181617220.17224-100000@tempest.gpcc.itd.umich.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <Pine.SOL.4.10.10012181617220.17224-100000@tempest.gpcc.itd.umich.edu>; from timcm@umich.edu on Mon, Dec 18, 2000 at 04:26:12PM -0500
X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2
X-URL: http://students.ceid.upatras.gr/~keramida/index.html
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Dec 18, 2000 at 04:26:12PM -0500, Tim McMillen wrote:
> 
> 
> On Mon, 18 Dec 2000, Raymond Hicks wrote:
> 
> > This is not good information..  the best thing to do is NOT to shut down the
> > machine.. you may lose vital info if you have in fact been rooted..   you
> 
> Care to explain that?  How would you lose information by halting the
> machine?  Halting it freezes the information in place and gives you chance
> to do the postmortem analysis with a cleaner slate.

Think of this:

	% cc -o bsdhack bsdhack.c
	% ./bsdhack &
	% rm bsdhack bsdhack.c

When the disk image of the process is removed, the actual data will be marked
as `free' on the disk too, when the process dies.  Then you lost the only
image of the backdoor that you could ever get your hands on, the image running
in system memory.

:giorgos



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message