[Full-disclosure] one of my servers has been compromized
tim-security at sentinelchicken.org
Mon Dec 5 18:05:49 GMT 2011
> > For future reference, and for the benefit of people searching for
> > solutions to similar problems: You've made the most common rookie
> > mistake. You have already trashed potentially critical information
> > about the attack by trying to clean up the server first. Don't do
> > that.
> Tim, while I do believe there is some truth in what you are saying here, I respectfully disagree in that this tends to be a run-of-the-mill IRC bot as evidenced by the Undernet advisory. This looks like a skiddie-de-jour attack against PHPMyAdmin and nothing to be concerned with regarding cloning disk images and full forensics. I do respect your input and thoughts though for a more targeted attack; not an IRC bot in /tmp.
Why take the risk? You don't know what the attacker actually did
until you do some analysis. If you do analysis before capturing a
disk image, you're destroying evidence.
Rebuilding a server is not hard. It has a known quantity of effort
involved and reliably prevents further intrusion which leverages the
access previously gained.
On the other hand, conducting an investigation to the point where you
are reasonably sure an attacker can't continue to leverage that access
costs a lot of time and money.
Full-Disclosure is hosted and sponsored by Secunia.