Hi everyone. Was just thinking about hypothetical bad situations that could happen. Say you have a vsftp server and it got compromised, what would you do after you remove it from the network?

It would really depend on what the issue is about. Root access compromised? missing files? unknown files just popping out of knowhere? unknown processes just kicking off even if you kill it?

You'd definitely want to figure out why it was compromised, but as above, you'd need to start with the evidence.
Ideally, take an exact copy & mount it as a data disk(s) on another system for read only access.

If you really need to get a replacement back online stat, then rebuild from scratch using known good sources, upgrade to the latest of everything you can and add on some security tools/monitoring and keep a very strict eye on it.


Can't really give specific advice without a specific example; definitely read the Stickies on the Security forum.

OK, I was more just thinking in general when I had the post, but I guess you're right, since there's so many ways it could get compromised.