> I've never dealt with an intrusion before, but I am the tech for the
That's all you need to say.
The server logs probably won't tell you exactly what happened, and it
doesn't matter anyway. ANYTIME you have a hack, regardless of how
trivial, you rebuild from scratch.
Why? Because you'll never know what was left behind. I've been doing
post-mortum analysis of hacked boxes for years, and I still don't trust
my own abilities to find everything -- thus they all get rebuilt
offline, and nothing that's executable (directly or otherwise), and no
config files get restored.
More specifics on the exact config, and we can give links on how to
secure the next install (eg: what httpd, what O/S, etc.).
Cheers,
Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Aug 02 2005
Intro
