Getting hacked is one of an administrator's biggest fears, and an important one to face up to consciously and with clear intent. If you're hacked, it's imperative that you take swift action to limit further damage and to preserve the evidence, which can potentially be used to press charges against the perpetrators. If your system is compromised there are several things you should do:
- Immediately remove the system from the network.
- Take a disk image of the server immediately after it was hacked.
- Check with your software and hardware vendors to determine what vulnerability was exploited and how to prevent it from happening again.
- Check log files for evidence.
- Change passwords for any affected systems; social engineering attacks (as popularized by the Iloveyou virus) are startlingly common, and effective.
- Document what you've learned and develop an incident response plan. Make this for both internal and external servers.
Consider using intrusion detection software such as Tripwire or Intrusion's SecureNet Pro that can give you notice of attacks.