Originally Posted by kav
Where should I start?
In short: start with the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
What you're looking for is building an understanding of the situation, which is different from "guessing" message the first reply carries. Even without talking about evidence acquired for judicial purposes and court situations, anyone with a structured approach to diagnosing things, any investigator will tell you that guessing is as bad as assuming, and you know what assuming makes... The checklist should guide you through most of the basic needs for gathering information like purpose of the box, date and duration of incident, distro+release+kernel data, audit data (system, daemon and firewall logs), auth data (login db, et cetera), IDS data, installed SW versions, integrity and updates, running services, finding "evidence" like setuid root files or LAMP piggybacking or user shell histories. There's lots of basic forensics docs on the 'net if you're interested in that and you could also search for and read some incident response threads in this particular forum. We've handled a few.
Also often the first thing to do would be doing nothing
except for thinking over the sequence of ops and the consequences of performing those on a system. It's not for nothing Wise Hannibal says he loves it when a plan comes together: Think. Plan. Act.