Section 19.10 Stuck in the House of Mirrors

19.10 Stuck in the House of Mirrors

It is clear that with a compromised system you do not know what is real and what is not. You cannot even shove a trusted boot floppy in the drive and issue the reboot command to boot it up, because the reboot command might be a fake one, installed by the crackers, that really reboots the compromised system. Issuing a sync command and pressing the reset button is more trustworthy.

Ensure that you either have secure boot floppies or you have some other secure way either to boot this system or to boot another Linux system. Preferably, you made the secure boot floppies when you created the system (or when you knew that it was secure) and kept them in a physically secure area and write-protected.

Now take down the system. The simpler the method, the better. Remember that the cracker might have altered the shutdown process to hide his tracks when the system is shut down. It might be best simply to let the system be idle for five minutes (to allow init to do its periodic sync()) and then press and hold in the reset button. While holding the reset button, turn off the power. Disconnect the system from all networks and modems that it still might be connected to.