hacked

[Manuel Arostegui Ramirez]

El Jueves, 12 de Octubre de 2006 20:09, Tenacious One escribió:
> Hmm, don't just focus on the server, and don't do anything drastic to alert
> that you're onto him/her!
> Goto your permeter devices and turn on logging like mad (routers/firewall)
> so you can codify events (assuming that he/she is coming from the outside).
> Also, on the inside, pop in a sniffer on that subnet and capture everything
> - if you can't read the traffic at least you can start homing-in on where
> it's originating, and that might divulge what programs/services are been
> hacked... START A CHAIN-of events!!!! Document everything you notice and
> what you do/did but try not to change the system - if it goes to court
> you'll need it. Wish I could offer more but I'm not a unix/linux expert
> (yet). Please keep us informed to let us know the progress.
>

I thinkTenacius hit the nail on the head

Moreover, one of the first thing I usually do when I noticed that one server 
have been hacked is look at /etc/passwd and search if there're any strange 
user with UID and GID = 0. If so, you're really fucked cause they will 
probably go back to your server and I suppose that with not too good thoughs. 
And that could also mean that a rootkit is running, and most of commands 
won't be realiable anymore either output.

Just my 2 cents
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.