[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible comprommission, what to do ?

On 13/11/2014 11:57, Erwan David wrote:
	I just got a call form police, that they have arrested a
pirate who "tried" to connect to one of my (debian) servers. They tell
me he is gifted, but since the policewoman I had one phone mixes
server, web site and email address, it may not be completely accurate.

However, I'd prefer be sure my server was not compromised, and at the
lower possibe cost (in time and work). Is there a way to check the
packages/installed files from outside sources (I may boot a fresh live
system in order to have clean utilities), or even provoke a reinstall
with a new download of the whole system ?

Thank you.


first make sure the call really is from the police, I don't know which country you are talking about but this looks as much as elaborate spear-phishing than anything.

Then if the system has been compromised by a talented cracker there isn't much you can do from the system itself. You need to image it and work on the image with forensic tools. As an easy first step I would look into the logs, that is if you store logs centrally on another system. If the logs are stored on the machine itself they are not to be trusted. If you didn't set up an integrity checker (like tripwire) there isn't much to compare your system with... You could set up a fresh system (possibly in a VM) of the same version, checksum all sensitive binaries/files on the fresh system and compare with those on the suspect system. Either ways you are going to spend time on this, if in any doubt the short answer is "start fresh".

Good luck.

Reply to: