[Plug-security] forensic analysis

wconrad@sprintmail.com wconrad@sprintmail.com
Thu, 28 Sep 2000 08:46:10 -0700


The problem is how to get your disk sync'd without triggering of the
invader's nasties, right?

What if you compile your kernel with the Magic Sysrq key turned on?
This is a spiffy thing, usually used for kernel debugging, that lets
you do some really nasty root-type stuff without even being logged on
or having a shell.

Assuming the kernel itself has not been compromised, it looks to me
like using the magic key to invoke these kernel debugging functions
would do the trick.  I don't think it'd be easily detectable or
hookable.

Some of the magic key functions that would be helpful:

'b'     - Will immediately reboot the system without syncing or unmounting
          your disks.

'o'     - Will shut your system off (if configured and supported).

's'     - Will attempt to sync all mounted filesystems.

'u'     - Will attempt to remount all mounted filesystems read-only.

't'     - Will dump a list of current tasks and their information to your
          console.

'e'     - Send a SIGTERM to all processes, except for init.

'i'     - Send a SIGKILL to all processes, except for init.

'l'     - Send a SIGKILL to all processes, INCLUDING init. (Your system
          will be non-functional after this.)

A good sequence might be 'l' (kill everything), then 's' (sync), then
'u' (unmount), then 'o' (halt) or 'b' (reboot).

Caveat:  I haven't  tested this  sequence.   But the  magic key  stuff
appeared to be pretty easy to use when I tested it. 

	Wayne Conrad