On Thu, Apr 24, 2003 at 04:02:56AM +0100, Dale Amon wrote:
> On Wed, Apr 23, 2003 at 10:44:34AM -0400, James Duncan wrote:
> > Obviously steps should be in place to mitigate the damage of these sorts
> > of acts.  Have steps in place to quickly replace machines that have to be
> > removed from production quickly and without warning.  Use syslog to log
> > locally AND remotely.  Have a backup of all your logs.  The smart attacker
> > will have covered their tracks.
> 
> I'd go further. If you know the machine has been
> hacked, pull the ethernet, copy the disks and swap to
> CD if you have time...
> 
> Then just wipe it and re-install. It's a very rare
> facility that actually has time for forensics. Places
> with deep enough pockets to have a senior person 
> grepping swap disks and reconstructing activity on
> one single machine and taking perhaps days or even
> weeks to do it.
> 
> It just doesn't happen very often.

There are those of us that actually do this kind of stuff for hire,
as long as we can get good images of the disk and /proc. dd is best

Tim

-- 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home)             ><  Coastal Internet, Inc.          <<
>> Network and Systems Operations   ><  PO Box 671                      <<
>> http://www.buoy.com              ><  Ridge, NY 11961                 <<
>> [EMAIL PROTECTED]/[EMAIL PROTECTED]     ><  (631)924-3728  (888) 924-3728   
>> <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Reply via email to