hacked
Manuel Arostegui Ramirez
manuel at todo-linux.com
Fri Oct 13 07:49:19 UTC 2006
El Jueves, 12 de Octubre de 2006 20:09, Tenacious One escribió:
> Hmm, don't just focus on the server, and don't do anything drastic to alert
> that you're onto him/her!
> Goto your permeter devices and turn on logging like mad (routers/firewall)
> so you can codify events (assuming that he/she is coming from the outside).
> Also, on the inside, pop in a sniffer on that subnet and capture everything
> - if you can't read the traffic at least you can start homing-in on where
> it's originating, and that might divulge what programs/services are been
> hacked... START A CHAIN-of events!!!! Document everything you notice and
> what you do/did but try not to change the system - if it goes to court
> you'll need it. Wish I could offer more but I'm not a unix/linux expert
> (yet). Please keep us informed to let us know the progress.
>
I thinkTenacius hit the nail on the head
Moreover, one of the first thing I usually do when I noticed that one server
have been hacked is look at /etc/passwd and search if there're any strange
user with UID and GID = 0. If so, you're really fucked cause they will
probably go back to your server and I suppose that with not too good thoughs.
And that could also mean that a rootkit is running, and most of commands
won't be realiable anymore either output.
Just my 2 cents
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the redhat-list
mailing list