Re: I've been hacked...tips for a postmortem?
From: Michael Erskine (osiris@deltaville.net)Date: 11/14/02
- Next message: none: "Re: Why OpenVMS is better than linux ..."
- Previous message: : "Re: Help with iptables - RH 8.0 - stopped working after "iptables -F""
- Maybe in reply to: Gaétan Martineau: "Re: I've been hacked...tips for a postmortem?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: osiris@deltaville.net (Michael Erskine) Date: 13 Nov 2002 20:06:34 -0800
It has been my consistent observation that the most pain I can inflict
upon a cracker is facilitated by:
1) Reboot the affected host...
2) Sniff and log (from a clean host) all traffic that enters or leaves
the suspect host for a period of 4 hours.
3) Analyze the sniff logs.
4) Contact the network admins of the networks from whence he enters
your box and provide them complete copies of the sniffer dumps. Do
this via voice (contact) and ftp/scp on an arranged schedule.
This proceedure will allow you to provide them (the other network
admins) the information necessary to take the crackers tools and toys.
Crackers get really pissed when you take their toys.
-m-
- Next message: none: "Re: Why OpenVMS is better than linux ..."
- Previous message: : "Re: Help with iptables - RH 8.0 - stopped working after "iptables -F""
- Maybe in reply to: Gaétan Martineau: "Re: I've been hacked...tips for a postmortem?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
