An excellent posthumis analysis of a compromised Linux server.
Posted on August 24, 2007
Filed Under Uncategorized |
I ran across this article on Slashdot, that an admin wrote about investigating a compromised Ubuntu server. The article is well written making for a good read, and a fairly good job at investigating the compromised machine.
Of course this type of forensics is probably more the arena of law enforcement or other legal prosecution, as I wouldn’t ever consider a cracked machine, regardless of the cleanup effort, to be 100% remediable. It’s just not possible to be absolutely sure you’ve covered every possible backdoor even when you have a good, incorruptible tripwire DB and binary. IMHO it’s generally always safer to rebuild from scratch and transpose the data on a web server with a good air-gap technique from backups.
-John W
Comments
Leave a Reply