If you are serious about either figuring out how they did it, or further prosecution, you need to do the following:
1) Turn off the computer immediately, if possible. If not, then unmount as many filesystems as possible and re-mount them read-only. 2) Make an image of the hard drive now, before you change anything else. Preferably to a write-once medium like CD-R or DVD-R. 3) There's a good forensic toolkit at: http://www.atstake.com/research/tools/task/ It's free, and it'll check out the stuff in "free space", etc. Good Luck! Ben ----- Original Message ----- From: "Reuben D. Budiardja" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 10:45 AM Subject: recover deleted log files > Hello all, > Is there a way to recover deleted log file (ie. /var/log/secure and > /var/log/message) that I can try? > > Two of our machines have been hacked by (I suspect) the same person in 2 > successive day. Right now we're leaning toward recovery and securing systems > rather than trying to track down who did this. But seems to me that the > hacker is rather ham-handed, so I am wondering if there's anything we can > learn from the logs at all. > > Thanks for any help in advance. > > RDB > > -- > Reuben D. Budiardja > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
