> Do you actually alter evidence in the process of shutting down? Yes. For example, if you issue 'shutdown -h now' on a Linux box behind the scenes events will occur. 'shutdown' causes init to be run the respective scripts will be run. A hacker *could* write a script to delete or encrypt data, just an example of what *could* be done with a script. Init is used to send SIGTERM and then SIGKILL signals to running processes, allowing them to stop cleanly and the system to shutdown cleanly. That is good and is normal. Unfortunately in theory someone could have a script that could hide their tracks, erase data, etc. One way 'around this' was to issue 'shutdown -n'. The '-n' option caused a dirty shutdown whereby init wouldn't be called and scripts not run, so processes were halted and not stopped cleanly. Good thing was you could avoid a 'trojan script'. Bad thing was bringing the system back up may be extremely difficult, data loss, etc. farmerdude ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 08:05:21 PDT