Required Reading: Detect and Clean a hacked server (like, not)
Posted 07-26-2006 at 04:47 PM by unSpawn
I wonder what would happen (think newbie) if I would trust information from one source? Take for instance Detect and Clean a hacked server T0rnkit Tutorial which says I can completely recover a compromised and rootkitted box *just by deleting and installing some tools*. Of course *you* know that's completely wrong (and the comments say that as well) because you've read more docs (or had the experience of having to mop up after a breach). But how about someone who doesn't see the comments? Someone who's in a hurry to "fix things"? Someone who doesn't know CERT or SecurityFocus or any other sites with well-written content?..
Here's two CERT docs that should start off anyone in the proper way (scope, tasks, tools):
Intruder Detection Checklist: http://www.cert.org/tech_tips/intruder_detection_checklist.html
Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
---
LQ FAQ: Security references: http://www.linuxquestions.org/questions/showthread.php?threadid=45261 for more nfo.
Here's two CERT docs that should start off anyone in the proper way (scope, tasks, tools):
Intruder Detection Checklist: http://www.cert.org/tech_tips/intruder_detection_checklist.html
Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
---
LQ FAQ: Security references: http://www.linuxquestions.org/questions/showthread.php?threadid=45261 for more nfo.