These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/General Behavior

Classnotes | UNIX03 | RecentChanges | Preferences

If you are physically present when an attack is happening and doing the following will not adversly affect any bussiness transactions, simply unplug the NIC until you can figure out what the intruder did and secure the box. Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box.

If you really want to fix the compromise quickly, you should remove the compromised host from your network and re-install the operating system from scratch. This might not have any effect if you do not know how the intruder got root. In this case you must check everything: firewall/file integrity/loghost logfiles and so on. For more information on what to do following a break-in, see



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 28, 2003 4:15 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.