On Thu, Dec 29, 2011 at 11:30:27PM +0400, Taz wrote: > Anybody want's to check it out? > I can provide ssh access, if u will give me ssh key. From the sound of things, we're not going to find much. It's clear that the attackers have already cleaned up their tracks by editing auth.log, etc. The detailed forensics needed here would likely take a fair bit of time. Also, because we'd be working on a compromised host, we likely couldn't even trust our own tools to give us accurate information. File-system level forensics would be best performed on a block-level image of the disk itself (e.g. made using something like dd). One recommendation I've got for future deployments, if you can allocate the resources for it, is to have a dedicated syslog host. This host should not run any services other than syslogd, including ssh. Any access would need to be via the console. You should be careful to give it a unique root password, and probably don't even bother to create any non-root accounts on it. Configure the rest of your hosts to send their logs to this host. Having a copy of things like auth.log whose integrity can be trusted would be most helpful here. noah
Attachment:
signature.asc
Description: Digital signature