> > For future reference, and for the benefit of people searching for > > solutions to similar problems: You've made the most common rookie > > mistake. You have already trashed potentially critical information > > about the attack by trying to clean up the server first. Don't do > > that. > > Tim, while I do believe there is some truth in what you are saying here, I > respectfully disagree in that this tends to be a run-of-the-mill IRC bot as > evidenced by the Undernet advisory. This looks like a skiddie-de-jour attack > against PHPMyAdmin and nothing to be concerned with regarding cloning disk > images and full forensics. I do respect your input and thoughts though for a > more targeted attack; not an IRC bot in /tmp.
Why take the risk? You don't know what the attacker actually did until you do some analysis. If you do analysis before capturing a disk image, you're destroying evidence. Rebuilding a server is not hard. It has a known quantity of effort involved and reliably prevents further intrusion which leverages the access previously gained. On the other hand, conducting an investigation to the point where you are reasonably sure an attacker can't continue to leverage that access costs a lot of time and money. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
