[ale] Rebooting remotely without a usable /
Greg Freemyer
greg.freemyer at gmail.com
Mon Sep 21 10:25:15 EDT 2009
You need some blackhat skills.
Ie. Injecting malware without leaving a disk footprint is the goal of
the serious players. I don't know much beyond that.
Greg
On 9/21/09, Matt Rideout <mrideout at windserve.com> wrote:
> Michael B. Trausch wrote, On 09/21/2009 07:19 AM:
>> On Mon, 2009-09-21 at 06:29 -0400, Matt Rideout wrote:
>>
>>> I have a server that's having issues with its / which prevent shutdown,
>>> reboot, init, etc from being accessible. This could be a hardware or
>>> firmware issue, so I'd like to reboot, and diagnose it remotely so that
>>> I'll know whether to order any hardware before going on-site.
>>>
>>> I can SSH in, and have an IP KVM hooked up, but have no remote power
>>> management. The SysRq trick isn't working through the KVM. It seems like
>>> there should be a way to reboot through /proc, but I'm drawing a blank.
>>> Any ideas?
>>>
>>
>> What CPU is the server, and at what bit-width does it run?
>>
>> Do you have access to gcc and/or as on that server? If so, you can use
>> the reboot(2) syscall to force the system to reboot. This should do it,
>> if you have access to gcc, you can use the pasted code below. If you do
>> not have access to gcc (or cannot write an assembly system call and use
>> as to assemble it), the answer to the questions above would (likely)
>> permit me (or anyone else on this list) to create an ELF binary using
>> the code below for whatever system you're running.
>>
>> If you do not have GLIBC, but instead an older Linux libc, use the
>> command:
>>
>> gcc -DNO_GLIBC -o force-reboot force-reboot.c
>>
> Good thinking! It's running 64-bit Intel Xeon MP 3.66GHz CPUs. Nothing
> located on the disk that isn't already loaded into RAM is usable, so
> compiling on the box isn't an option. I wouldn't be able to scp a binary
> over, or execute the commands to mount a memory filesystem in the
> traditional sense either, since those would access files on the drive.
> Would there be anyway to make that syscall purely from memory?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
Sent from my mobile device
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
Preservation and Forensic processing of Exchange Repositories White Paper -
<http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>
The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
More information about the Ale
mailing list