Re: HELP, my Debian Server was hacked!
On Thu, 24 Apr 2003, Dale Amon wrote:
> On Wed, Apr 23, 2003 at 10:44:34AM -0400, James Duncan wrote:
> > Obviously steps should be in place to mitigate the damage of these sorts
> > of acts. Have steps in place to quickly replace machines that have to be
> > removed from production quickly and without warning. Use syslog to log
> > locally AND remotely. Have a backup of all your logs. The smart attacker
> > will have covered their tracks.
>
> I'd go further. If you know the machine has been
> hacked, pull the ethernet, copy the disks and swap to
> CD if you have time...
Data protection procedures will vary depending on internal security policy
(which every company should have - there should be a clear set of
guidelines in place that states how these sorts of situations should be
handled). Certainly this is a viable solution, and one I have practiced
myself in situations where speed was more important than forensic
preservation.
> Then just wipe it and re-install. It's a very rare
> facility that actually has time for forensics. Places
> with deep enough pockets to have a senior person
> grepping swap disks and reconstructing activity on
> one single machine and taking perhaps days or even
> weeks to do it.
>
> It just doesn't happen very often.
Typically this won't be a job for the admins, anyway. Data like this
should be looked at by either a dedicated information security officer,
whose job it is to track these things, or by law inforcement, should one
choose to involve them. Just because you don't have time to look at the
data, doesn't mean that you can't take a few minutes to preserve it in the
first place.
If the attack in question can be shown to have cost your company palpable
revenue, then the preservation of this data could be the difference
between being rewarded damages, and a case that is thrown out of court.
Reply to: