In message <[EMAIL PROTECTED]>, "Daniel O'Connor" writes : > --nextPart1396418.se7W9MObOf > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > Content-Disposition: inline > > On Sat, 14 Jan 2006 14:35, anchor (sent by Nabble.com) wrote: > > My machine been hacked. The message file was modified. Old dated backup > > files are deleted. The last log was truncated. You are gurus. Would you > > please tell me where I can find out other trace file or logfiles to figu= > re > > out where the hacker come from? > > 1) Turn it off > 2) Put a new hard disk in it and install FreeBSD freshly on the new disk > 3) Mount the old disk read only and recover all the data you can (no =20 > executables) > 4) Do forensics on the old disk, and/or back it up to tape.
> 5) Nuke the contents of the old disk. > > Basically it is really hard to trust any code run from the old disk although > as someone suggested DDB is most likely to be OK, but you never know :) Probably but if a KLD rootkit was installed, you can't even trust DDB. To be on the safe side, panic the system and capture a core dump. Then remove the hard disk and analyse that using one of the various analysis tools on the market. If you dd the disk to another disk or tape, it is likely that if you do discover the perpetrator and take him to court, your evidence will not be admissible. Only evidence collected by a forensic analysis tool is admissible in court. Cheers, Cy Schubert <[EMAIL PROTECTED]> Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: <[EMAIL PROTECTED]> Web: http://www.FreeBSD.org BC Government: <[EMAIL PROTECTED]> "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
