Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: one of my servers has been compromized

From: Tim <tim-security () sentinelchicken org>
Date: Mon, 5 Dec 2011 10:05:49 -0800
For future reference, and for the benefit of people searching for
solutions to similar problems: You've made the most common rookie
mistake. You have already trashed potentially critical information
about the attack by trying to clean up the server first. Don't do
that.


Tim, while I do believe there is some truth in what you are saying here, I respectfully disagree in that this tends 
to be a run-of-the-mill IRC bot as evidenced by the Undernet advisory.  This looks like a skiddie-de-jour attack 
against PHPMyAdmin and nothing to be concerned with regarding cloning disk images and full forensics.  I do respect 
your input and thoughts though for a more targeted attack; not an IRC bot in /tmp.


Why take the risk?  You don't know what the attacker actually did
until you do some analysis.  If you do analysis before capturing a
disk image, you're destroying evidence.

Rebuilding a server is not hard.  It has a known quantity of effort
involved and reliably prevents further intrusion which leverages the
access previously gained.

On the other hand, conducting an investigation to the point where you
are reasonably sure an attacker can't continue to leverage that access
costs a lot of time and money.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: