Date: Sat, 23 Dec 2000 22:00:54 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Tim McMillen <timcm@umich.edu> Cc: Raymond Hicks <rayhicks@UU.NET>, "'Jonathan Fosburgh'" <syjef@mail.mdanderson.org>, "'Gerald T. Freymann'" <freymann@eagle.ca>, "'Questions'" <questions@FreeBSD.ORG> Subject: Re: Hacker history file - OUCH Message-ID: <20001223220053.F48060@hades.hell.gr> In-Reply-To: <Pine.SOL.4.10.10012181617220.17224-100000@tempest.gpcc.itd.umich.edu>; from timcm@umich.edu on Mon, Dec 18, 2000 at 04:26:12PM -0500 References: <003e01c06937$17914cd0$d7902799@sysenglt112> <Pine.SOL.4.10.10012181617220.17224-100000@tempest.gpcc.itd.umich.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 18, 2000 at 04:26:12PM -0500, Tim McMillen wrote: > > > On Mon, 18 Dec 2000, Raymond Hicks wrote: > > > This is not good information.. the best thing to do is NOT to shut down the > > machine.. you may lose vital info if you have in fact been rooted.. you > > Care to explain that? How would you lose information by halting the > machine? Halting it freezes the information in place and gives you chance > to do the postmortem analysis with a cleaner slate. Think of this: % cc -o bsdhack bsdhack.c % ./bsdhack & % rm bsdhack bsdhack.c When the disk image of the process is removed, the actual data will be marked as `free' on the disk too, when the process dies. Then you lost the only image of the backdoor that you could ever get your hands on, the image running in system memory. :giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001223220053.F48060>