Hello, I just want to add one thing to what has already been said. On Mon, 29 Jul 2002, Ingram wrote (in part): > after i´ve seen that i (*maybeafailure*) stopped this to services with > 'kill' and > halted the machine. <and> > 3) My forensic... > I turned power off, and put the harddisk into my develop box, mounting > it > read-only. > laboratory# mount -o ro /dev/ad1s4 /mnt I wouldn't immediately halt and then power off the machine. The correct procedure, in my opinion, is to yank the ethernet cord out of the back of the box. If the Script Kiddie is still logged on to the machine (as he was, in the case of a Redhat box of mine that was "owned" a year and a half ago), his environment is still active: You can see what commands he had going, and, from his point of view, his connection just mysteriously dropped. (In other words, he wouldn't have a chance to clean up after himself like he might if he saw you killing his processes or something like that). Best regards, Ken Parker (develat_private) ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 18:31:34 PDT