Jim wrote:
> Last night I came home from work and sat down at the computer. I
> noticed the lights on the DSL router were blinking very rapidly. I have
> an ftp server running on my linux box (Slackware 10.2). So I thought
> someone might have been uploading something.
> Is there anything else I should do?
>
> thanks
>
I'm going to go against the grain here with my suggestion. My first
question would be:
How important to you is it that that servers stays 'pure'?
My second question:
Do you have the time/curiosity to try to find out what happened?
Back in the day, one of my servers got hacked. It was an ssh exploit
(the funny thing was that I had patched ssh for an exploit. I just
didnt see that the patch had an exploit so didn't patch the patch.
pleh). Anyway, since it was my home server and I wanted to know wtf
happened, I didnt reinstall. I did forensics. I got clean copies of
some binaries:
ls, ps, lsof, file, cat, more, sh, find, netstat, etc.
then started checking out my system. I was a tremendous learning
experience. And yes, I did it while the box was live and the jerk was
still doing his/her thing.
One of the interesting things I found out was how many other servers the
jerk found that were easily exploited :)
Of course, this depends *entirely* on how important and sensitive your
server and its data are(is?).
David
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)