Re: BIND exploited ?
> Good point! Having never dealt with the fuzz after being compromised,
> I have to ask what you would do if your server is a file server with
> lots of big, expensive drives where a company might not be able to
> afford replacing them all? Would they be happy with backups (keeping
> in mind that any tools used to backup the server might no longer be
> trustworthy)? How about disk images (made with dd, or something
> similar) of the drives that contain the system stuff?
In my experience, the police will have computer crime specialists who'll
know all about dd. In fact, one of the first things they'll ask when you
contact them is whether they can make complete disk images, and they'll
be very happy if you say yes. They'll be happier still if you can
provide tcpdump (or similar) traces of the intruder's activiy
(electronic format is nice, but they'll need a hard copy too, with each
page dated and signed to present to the judge).
Once they've made the disk images, you can format your disks and put them
back into service. You'll still be able to participate in the forensic
examination of those images, though, and (again, in my experience only),
they're very good at respecting privacy concerns - ie. not going
anywhere near the /home partition, etc.
Reply to: