Re: HELP, my Debian Server was hacked!

[Dale Amon <amon@vnl.com>]

On Wed, Apr 23, 2003 at 10:44:34AM -0400, James Duncan wrote:
> Obviously steps should be in place to mitigate the damage of these sorts
> of acts.  Have steps in place to quickly replace machines that have to be
> removed from production quickly and without warning.  Use syslog to log
> locally AND remotely.  Have a backup of all your logs.  The smart attacker
> will have covered their tracks.

I'd go further. If you know the machine has been
hacked, pull the ethernet, copy the disks and swap to
CD if you have time...

Then just wipe it and re-install. It's a very rare
facility that actually has time for forensics. Places
with deep enough pockets to have a senior person 
grepping swap disks and reconstructing activity on
one single machine and taking perhaps days or even
weeks to do it.

It just doesn't happen very often.

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------