Full Disclosure mailing list archives
Re: one of my servers has been compromized
From: Tim <tim-security () sentinelchicken org>
Date: Mon, 5 Dec 2011 10:05:49 -0800
For future reference, and for the benefit of people searching for solutions to similar problems: You've made the most common rookie mistake. You have already trashed potentially critical information about the attack by trying to clean up the server first. Don't do that.Tim, while I do believe there is some truth in what you are saying here, I respectfully disagree in that this tends to be a run-of-the-mill IRC bot as evidenced by the Undernet advisory. This looks like a skiddie-de-jour attack against PHPMyAdmin and nothing to be concerned with regarding cloning disk images and full forensics. I do respect your input and thoughts though for a more targeted attack; not an IRC bot in /tmp.
Why take the risk? You don't know what the attacker actually did until you do some analysis. If you do analysis before capturing a disk image, you're destroying evidence. Rebuilding a server is not hard. It has a known quantity of effort involved and reliably prevents further intrusion which leverages the access previously gained. On the other hand, conducting an investigation to the point where you are reasonably sure an attacker can't continue to leverage that access costs a lot of time and money. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: one of my servers has been compromized, (continued)
- Re: one of my servers has been compromized Christophe Garault (Dec 05)
- Re: one of my servers has been compromized Paul Schmehl (Dec 05)
- Re: one of my servers has been compromized mitchell (Dec 05)
- Re: one of my servers has been compromized Larry W. Cashdollar (Dec 05)
- Re: one of my servers has been compromized Larry W. Cashdollar (Dec 05)
- Re: one of my servers has been compromized Tim (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized James Condron (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized Lucio Crusca (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized Tim (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized Guillaume Friloux (Dec 06)
- Re: one of my servers has been compromized Tim (Dec 05)
- Re: one of my servers has been compromized Valdis . Kletnieks (Dec 06)