Re: i am hacked atm.. what's better thing to do?

To: debian-user@lists.debian.org
Subject: Re: i am hacked atm.. what's better thing to do?
From: Robert Waldner <Waldner@KPNQwest.at>
Date: Tue, 07 Nov 2000 07:20:50 +0100
Message-id: <[🔎] 200011070620.HAA04413@cruncher.Austria.EU.net>
In-reply-to: Your message of "Mon, 06 Nov 2000 21:17:21 CST." <[🔎] Pine.LNX.4.30.0011062101240.18498-100000@tux.creighton.edu>

On Mon, 06 Nov 2000 21:17:21 CST, Phil Brutsche writes:
>> The syslog is probably the best place to find how he got into your
>> system.  But it might have been tampered with.  If you think it's a
>> fairly recent attack, look around your directories a bit with an `ls
>> -lart` to show all recently-changed entries.  Script kiddie tools are
>> easily found this way, though better hackers can hide their tracks.
>
>Especially since they can just do a "rm -rf /var/log" - yes I've seen that
>happen.

That´s why it´s almost always a good idea to not only keep your logs 
locally, but to also log to another machine, preferrably on another 
platform administered by someone (trusted) else. That way the attacker 
would have to gain access to a second machine, most script kiddies will 
find that too challenging...

If you look around some time, you´ll probably find somebody, so you can 
backup each others logs. I do that with a friend of mine, I´m with 
Debian/Intel, the other machine Solaris/<well, what else...>Sun.

just a thought,
&rw
-- 
/  Ing. Robert Waldner  | Network Engineer | T: +43 1 89933  F: x533 \ 
\ <Waldner@KPNQwest.at> |    KPNQwest/AT   | Diefenbachg. 35, A-1150 /

Reply to:

Follow-Ups:
- Some Newbie Questions
  - From: <dconley1@san.rr.com>

References:
- Re: i am hacked atm.. what's better thing to do?
  - From: Phil Brutsche <pbrutsch@tux.creighton.edu>

Prev by Date: Re: HELIX and potato
Next by Date: Re: Duplex on etherpro-100?
Previous by thread: Re: i am hacked atm.. what's better thing to do?
Next by thread: Some Newbie Questions
Index(es):
- Date
- Thread