> > I have to ask what you would do if your server is a file server with > > lots of big, expensive drives where a company might not be able to > > afford replacing them all? Would they be happy with backups (keeping > > in mind that any tools used to backup the server might no longer be > > trustworthy)? How about disk images (made with dd, or something > > similar) of the drives that contain the system stuff? > > OK. When I described replacing all hard drives I was referring to system > disks with the OS and applications not data files. Keeping a backup of your > news spool probably doesn't gain you much. Just use find on the data disks > (the copy of find on the freshly installed un-cracked system on new system > disks) to search for suspicious files (SUID, SGID, and executables where you > least expect them). Also search for files and directories starting in '.' in > locations where you don't expect them. Another thing to check for is the > most recently changed files. On a web server the content may not have > changed for a month, any files changed in the last week would be by the > intruder... > > After copying and removing all suspicious files (make sure you use tar or > cpio not cp so that permissions and time stamps are preserved) then the data > disks will be ready for service again. > > Make sure that boot sectors are wiped as well (on a Debian installation use > install-mbr on every disk that has a partition table).
>From my experience, police like data untampered and in exactly the same form and such when the intrusion occurred. That means the exact same disks, not a tape backup or something. Sometimes backups can miss stuff, or as mentione previously, the backup software itself could have been rooted. Actually, it would be best to make a duplicate of the disk, USE THE DUPLICATE, and give the police the original. If possible, just yank the power out of the box... the reason being that if you use 'reboot' or 'shutdown' or others, they usually run though the shutdown scripts, and within the shutdown scripts the kiddies could've planted something there as well. You never know. By yanking the power, no software can write/modify the disks, and they are "preserved", more or less. Sincerely, Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
