At this point, you have detected a break-in. If your budget and preparation allowed it, it is assumed that you have switched to "Auxiliary Control," a Security Backup System (SecBack) that is to be used if the primary system is compromised. This will allow you more time to find the damage. It is assumed that the crackers were possibly able to make themselves root and were clever. This means that you cannot trust anything on the disk or in memory. Hopefully, you ensured that log files were duplicated onto another system that was not penetrated, that you made periodic backups which are kept in secure storage, etc. Techniques for duplicating log files in real time are explained in "The syslogd and klogd Daemons" on page 686. The topics covered in this chapter include:
|
Top |