Quote:
Originally Posted by sparek-3
I would recommend having the server reimaged and restore the accounts from backups.
|
That is one way to look at it, however a more appropriate way would be to follow these steps:
#1. Do not install, reinstall or delete anything from that drive
#2. List the current open files, lsof, current processes, ps aux, current open ports netstat -anpe
#3. Pull the power cord out from the box (if possible or have the data center do it)
#4. Notify all your users that there has been a compromise, notify your provider if necessary.
#5. Make a forensic image of the drive (or have the data center do it) using the unix dd command, set the original drive in a safe place and ensure you maintain a chain of custody on it.
#6. Go through the logs you have from Chkrootkit / Rootkit Hunter / Aide / Samhain / Snort / Integrit / Osiris or tripwire, if the logs are on the drive itself look at them on the image your made.
#7. Review the image of the compromised drive, was the OS/kernel current? Were all the packages up to date? What was in the world writeable directories like /tmp, /var/tmp, /dev/shm, what services were running on the drive, what was the version of php, perl, etc.
#8. Look at the logs files and logrotated files such as wtmp, secure, messages, firewall logs setuid files, user shell histories, yum logs.
#9. Document any hints, hunches, or gut feeling you have on the the box was hacked.
#10. Only after your investigation and developing a plan to keep the box more secure should you install the OS on the new drive (the compromised drive should still be in a safe place) and only the user home data should be restore, and chowned to the user’s username, prior to the server being live on the internet again.
#11. Contact other parties, such as law enforcement if appropriate.