RE: HELP, my Debian Server was hacked!

To: debian-security@lists.debian.org
Subject: RE: HELP, my Debian Server was hacked!
From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>
Date: Wed, 23 Apr 2003 15:07:38 +0200
Message-id: <[🔎] 435C366F075ED211B12200204840172D058693D1@petitsuix.coe.int>

Have a look at the coroner toolkit from Dan Farmer and Wietse Venema.

Debian packaged : tct

It is advised *not* to turn off your box, maybe you can unplug its
network... 
not sure its a good idea even.

http://www.fish.com/tct/help-when-broken-into

Chosen extract :


What to do
-----------

The first 3 basic steps to handling a "situation" (roughly taken from
the wonderful Criminalistics, An Introduction to Forensic Science, by
Saferstein (see the "bibliography" file) are:

	o	Secure and isolate the scene
	o	Record the scene
	o	Conduct a systematic search for evidence

And while speed is of the essence, attempt to stay calm and don't panic.

And do *NOT* touch the keyboard or the computer yet unless you absolutely
have to.

We repeat.  Do *NOT* touch the keyboard or the computer yet.

Did you hear us?   STAY AWAY FROM THE COMPUTER!  Anything you do will 
destroy evidence, so simply don't touch it for now, or do as little as 
possible and don't start looking for damage yet.

And while you might get lucky and find all the damage and evidence and
perpetrator immediately, don't get your hopes up too much, this is still
not an exact science, and almost every case has more than its share of 
disappointments.

Reply to:

Follow-Ups:
- RE: HELP, my Debian Server was hacked!
  - From: James Duncan <james.duncan@sheridanc.on.ca>

Prev by Date: Re: Network stress testing
Next by Date: Re: Kernel ptrace Hole - Fix For i386 ?
Previous by thread: Re: HELP, my Debian Server was hacked!
Next by thread: RE: HELP, my Debian Server was hacked!
Index(es):
- Date
- Thread