Check these docs at Cert http://www.cert.org/tech_tips/intruder_detection_checklist.html
On Fri, 2003-06-20 at 11:53, Benjamin J. Weiss wrote: > If you are serious about either figuring out how they did it, or further > prosecution, you need to do the following: > > 1) Turn off the computer immediately, if possible. If not, then unmount as > many filesystems as possible and re-mount them read-only. > > 2) Make an image of the hard drive now, before you change anything else. > Preferably to a write-once medium like CD-R or DVD-R. > > 3) There's a good forensic toolkit at: > http://www.atstake.com/research/tools/task/ It's free, and it'll check out > the stuff in "free space", etc. > > Good Luck! > > Ben > ----- Original Message ----- > From: "Reuben D. Budiardja" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, June 20, 2003 10:45 AM > Subject: recover deleted log files > > > > Hello all, > > Is there a way to recover deleted log file (ie. /var/log/secure and > > /var/log/message) that I can try? > > > > Two of our machines have been hacked by (I suspect) the same person in 2 > > successive day. Right now we're leaning toward recovery and securing > systems > > rather than trying to track down who did this. But seems to me that the > > hacker is rather ham-handed, so I am wondering if there's anything we can > > learn from the logs at all. > > > > Thanks for any help in advance. > > > > RDB > > > > -- > > Reuben D. Budiardja > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED] > > https://www.redhat.com/mailman/listinfo/redhat-list > > -- Michael Gargiullo <[EMAIL PROTECTED]> Warp Drive Networks -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
