Tenacious One wrote:
Hmm, don't just focus on the server, and don't do anything drastic to
alert
that you're onto him/her!
Goto your permeter devices and turn on logging like mad
(routers/firewall)
so you can codify events (assuming that he/she is coming from the
outside).
Also, on the inside, pop in a sniffer on that subnet and capture
everything
- if you can't read the traffic at least you can start homing-in on where
it's originating, and that might divulge what programs/services are been
hacked... START A CHAIN-of events!!!! Document everything you notice and
what you do/did but try not to change the system - if it goes to court
you'll need it. Wish I could offer more but I'm not a unix/linux expert
(yet). Please keep us informed to let us know the progress.
Two cents:
If you DONT intent to go to court, just grab a quick view of what's
going on, from where the cracker connects, dump the disks to someplace
offline
where you can check them later if you ever have the time/inclination
then wipe the
machines and reinstall with added security precautions (SELinux,
tripwire, chrooting
etc.) Because of course the infection will be back otherwise.
If the baddie uses the servers to attack others, you might become liable.
NOT good.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
