El Jueves, 12 de Octubre de 2006 20:09, Tenacious One escribió: > Hmm, don't just focus on the server, and don't do anything drastic to alert > that you're onto him/her! > Goto your permeter devices and turn on logging like mad (routers/firewall) > so you can codify events (assuming that he/she is coming from the outside). > Also, on the inside, pop in a sniffer on that subnet and capture everything > - if you can't read the traffic at least you can start homing-in on where > it's originating, and that might divulge what programs/services are been > hacked... START A CHAIN-of events!!!! Document everything you notice and > what you do/did but try not to change the system - if it goes to court > you'll need it. Wish I could offer more but I'm not a unix/linux expert > (yet). Please keep us informed to let us know the progress. > I thinkTenacius hit the nail on the head Moreover, one of the first thing I usually do when I noticed that one server have been hacked is look at /etc/passwd and search if there're any strange user with UID and GID = 0. If so, you're really fucked cause they will probably go back to your server and I suppose that with not too good thoughs. And that could also mean that a rootkit is running, and most of commands won't be realiable anymore either output. Just my 2 cents -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
