Re: Giving shutdown rights to somebody

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 04/09/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Tue, 9 Apr 2002 09:45:07 +0000 (UTC)


< Mark Damrose
>"RainbowHat" <nHiATlE@blSackholeP.mAit.edMu.invalid> wrote in message
>news:POW1PV0WG.-nHiATlE@blackhole.mit.edu...
>> < Lee Sau Dan
>> >Watch out! My experience is that the Linux kernel still responds to
>> >pings even after a shutdown (after the kernel message "System halted"
>> >is shown on the kernel). At least, I've consistently got this
>> >behaviour with 2.2 kernels, 3Com 3c509 and 3c59x cards.
>>
>> Really? I had known I can scroll with [Shift] + [Page Up/Down] key
>> after shutdown. I was guessing /usr/lib/crt1.o. But I don't know that.
>> Drivers are still running? I'm wondering if firewall drop ping or
>> `echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_all`, how it behave after
>> shutdown.
>
>I've forgotten the link, and I don't have the time to search for it right
>now, but I saw an article about creating a hardened firewall a while back.
>Basically what it said was that the kernel keeps running - even after the
>machine had been shut down. The author removed the network down from the
>shutdown procedure, so the machine kept running iptables and routing after
>all other processes had stopped, and the disks were umounted.

Again Really?! Dose this mean a specialized Linux router box is still
working to route static even it had been shutdown? Very interesting.
At security viewpoint, this mean backdoor of kernel space modules can
communicate to attacker after shutdown. And this activity don't log
because user space daemons stopped and the disks were unmounted. One
of my PC that SMP CPU box can't poweroff itself.

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7