Books for you

. After you??™ve thought about it and decided the compromised machine is not really
required on the network, take the machine offline. You may decide that the chances
of your attacker coming back are slim, and so you don??™t want to try luring him or
her back.
What to Do if You??™ve Been Hacked 489
23
. Start reviewing your log files, and store them somewhere else. Because log files can
be edited??”they are just text files, after all??”there may still be useful information in
them that can help you track down the attacker.
. Check /etc/passwd for unauthorized users. Although you should be using shadow to
store your genuine user passwords, invaders often create new users in /etc/passwd
in hopes that some applications just check that file to confirm permissions. If you
see a user you don??™t recognize or can??™t verify, remove it immediately.
. Run lsof to obtain a list of open files. The ??“p option can be used to specify a
process ID number (such as a suspected user??™s shell) to limit the display to only
those open files associated with them.


Pages:
930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954