hacked

[David Tonhofer]

Tenacious One wrote:
> Hmm, don't just focus on the server, and don't do anything drastic to 
> alert
> that you're onto him/her!
> Goto your permeter devices and turn on logging like mad 
> (routers/firewall)
> so you can codify events (assuming that he/she is coming from the 
> outside).
> Also, on the inside, pop in a sniffer on that subnet and capture 
> everything
> - if you can't read the traffic at least you can start homing-in on where
> it's originating, and that might divulge what programs/services are been
> hacked... START A CHAIN-of events!!!! Document everything you notice and
> what you do/did but try not to change the system - if it goes to court
> you'll need it. Wish I could offer more but I'm not a unix/linux expert
> (yet). Please keep us informed to let us know the progress.
>

Two cents:

If you DONT intent to go to court, just grab a quick view of what's
going on, from where the cracker connects, dump the disks to someplace 
offline
where you can check them later if you ever have the time/inclination 
then wipe the
machines and reinstall with added security precautions (SELinux, 
tripwire, chrooting
etc.) Because of course the infection will be back otherwise.

If the baddie uses the servers to attack others, you might become liable.
NOT good.