> >No offense intended, but this is some of the WORST advice I've heard on >this list to date. > >If you fear you may have been compromised, by all means, and for the >love of us all, unplug your network cable at once. If for no other >reason than this: Your system could possibly be launching attacks at >other systems unbeknownst to you, for which you can be held legally and >financially accountable. > No offence taken. Its worth thinking of a bigger picture. The vast majority of *nix boxes are servers. They are production machines and you simply cannot pull the cable out. You need time to migrate the service to a new machine. I know in an ideal world you'd have backup servers for each service but most of us tend to have one backup machine that gets reconfigured when it needs to take the place of a production machine. This takes time. You do have time. As long as the data is intact and the services the machine is intended to provide are running, your personal job security is way more important than protecting other peoples networks.
>Unplug it NOW, and start doing some digging to find out what's really > This works for desktop machines. When you unplug a production machine, the first thing you lose is time because you have the users, the users managers, your manager and the office teaboy banging on the machine room door demanding that their accounts be restored, web-pages put back online or whatever. Under those circumstances, opening that door means you have a busy day on your hands and forget about computers! >Running a script to repeatedly kill the process will only burn your CPU >cycles; if indeed the process is "Respawning because it's a trojan" the >reality of the situation is that other things on your system have been >tampered with. If there's some recurring process (via cron or something) >that restarts the app, a better (but still bad) idea would be to stop >that cron job. IMO, the only acceptable course of action is to pull your >cables and get down and dirty with some forensics. > Its important not to panic. Take a deep breath. Assume the worst, that not just this machine but others are compromised. In all probability, its a fellow employee from within the firewall that's done it. Get your data back and then reformat the machine. You have no problem if your machine stays up and infected while you are getting your data back. ITs not your job to protect the Internet. You will be fired if yo lose data or deprive your users of an important service. The most important thing is to get the replacement right. This can't happen twice. And remember that its a colleague is the most likely bad guy. Changing the combination of the keypad on the machine room door is the best form of defence! -- Patrick "sig free and jouful" Kirk GSM: +44 7876 560 646 ICQ: 42219699
