should at least avoid premature aging. Here are some suggestions to get you
started:
Do not just pull out the network cable. Pulling the cable acts as an alert
that the cracker has been detected, which rules out any opportunities for
security experts to monitor for that cracker returning and actually catch
him or her.
Inform only the people who need to know. Your boss and other IT
people are at the top of the list; other employees are not. Keep in mind
that it could be one of the employees behind the attack, and you don’t
want to tip off the culprit.
If the machine is not required, and you do not want to trace the
attack, you can safely remove it from the network. However, do not
switch it off because some backdoors are enabled only when the system
is rebooted.
Make a copy of all the log files on the system and store them
somewhere else. These files might have been tampered with, but they
might contain nuggets of information.
Check the /etc/passwd file and look for users you do not
recognize. Change all the passwords on the system and remove bad
users.
Check the output of ps aux to see if unusual programs are running.
Also check to see whether any cron jobs are set to run.
Look in /var/www and see whether any web pages are there that
should not be.
Check the contents of the .bash_history files in the /home
directories of your users. Are there any recent commands for your
primary user?
If you have worked with external security companies previously, call
them in for a fresh audit. Hand over all the logs you have and explain
the situation. They will be able to extract all the information from the
logs that is possible to extract.
Start collating backup tapes from previous weeks and months. Your
system might have been hacked long before you noticed, and you might
need to roll back the system more than once to find out when the attack
actually succeeded.
Download and install Rootkit Hunter from
http://rkhunter.sourceforge.net/ This tool searches for and removes the