> > Mistakes Made in Incidence Response: > ----------------------------------- > > 1) Don't log in as root on a machine that most likely has been > compromised. Bsd things can happen. > > 2) Don't go around blithely executing binaries. (I feel rather stupid > about that) > > 3) Do *immediately* take the machine offline, and mount the disks on > another system for analysis. If mounting on another system, and your OS supports it, mount with the 'noexec' option, to make sure you don't accidently infect another system, as well as the rdonly flag to make sure you don't damage evidence. You may also want to consider 'noatime', to keep things really pristine, if you don't go 'ro'. noexec Do not allow execution of any binaries on the mounted file system. This option is useful for a server that has file systems containing binaries for architectures other than its own. Kevin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:22 PDT