If your box is cracked then the first thing to do is to take steps to make sure the box is fully under your control, not go off to try and find the cracker. If she left traces, or you recorded traces, then you can save that task for a later stage.
Note steps 1 tru 3 should be taken as soon as possible. The decision should be made according to what you know (or perceive) wrt damage done and the risk to data, machine and network. Other reasons usually do not lead to a valid decision. While steps 1 tru 3 should be taken ASAP, and 4 tru 6 right after, you should perform these tasks at a pace you can handle. Stress usually leads to sloppiness and making mistakes. Also try not to
assume things: investigate, make certain (time and knowledge permitting).
I. First read this doc: Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html,
II. Next record volatile information like network connections, process and open files details,
III. Next decide, based on what you know or suspect, if the box was compromised so severely that you should either shut it down completely or could mitigate the situation by disabling services and restricting access (firewall) to your management IP (range). If you decide the situation is serious enough to shut down, only boot again from a Live CD like HELIX, KNOPPIX(-STD) or equivalent,
IV. Only after stabilising prepare off-site backups (configuration and logging data, usually /etc/and /var) or dd images for an in-depth investigation. Do not make backups for direct reuse because at this stage you don't know what's been tampered with,
V. Now you got backups run any verification methods you have like file integrity checkers, package managers, chkrootkit, Rootkit Hunter (if installed),
VI. Next we need to build an understanding of the situation. So in addition to Frob's questions, what's:
- the location (home, colo, office) and purpose of the box (available services), the (perceived) date of incident and the distro/release/kernel?
- Looking at the logs you saved, data from adjacent machines, IDSes, routing devices does any of the audit data, auth data, IDS, system, daemon and firewall logs show traces of "weird behaviour", irregularities or illegitimate access?
- What software was installed?, was it all kept updated?
- Are there any setuid root files in temp dirs?
- Processes piggybacking on your LAMP setup?
- Do user shell histories reveal things?
* The more info you give us, the better we will be able to give you advice tailored to your situation.
VII. Finally if we can determine the box was compromised severely the next steps are to repartition, reformat, re-install from scratch. For that read: Steps for Recovering from a UNIX or NT System Compromise (CERT):
http://www.cert.org/tech_tips/root_compromise.html
VIII. Then you want to harden the box. Maybe the LQ FAQ: Security references:
http://www.linuxquestions.org/questi...threadid=45261 could help. Remember security is not applied once, you'll have to audit and adjust constantly.
