Get the Data:
1) on a different machine, download tct and burn it to a cdrom.
2) use memdump to get a memory image. Save it to another machine.
3) Poweroff (not shutdown) the machine.
4) dd the hd, so you have a clean image of what was done to the system.
Get the machine back up:
1) Re-install, off the network. If you /have/ to install 7.2, make sure you have as up-to-date rpms as possible and get all patches from progeny etc.
2) Get the machine configured to your statisfaction.
3) Disable *ALL* services you do not use.
4) enable your local firewall (for the machine, not the net) look at what services you are going to be using, and what machines they are talking to. EG: ssh might need to be turned on, but it probably only needs to answer machines on the network & maybe a couple of other machines -- restrict it to that.
5) run nessus against the machine.
http://nessus.org ,
http://viewpoint-security.com/nessus_talk/siframes.html
6) take a look at the vulnerability reports, and lock it down per the instructions given.
7) tie things down locally: strong filesystem permissions, chrooting, remote syslog. **REMOVING** development tools.
8) Set up tripwire, or samhain, and KEEP UP TO DATE WITH IT.
Do Forensics:
1)
http://www.securityfocus.com/guest/16691
2)
http://www.emergency.com/fbi-nccs.htm
Good luck,
Nick Bernstein,
http://viewpoint-security.com