Date: Fri, 06 Nov 1998 11:55:19 -0700 From: Brett Glass <brett@lariat.org> To: Sean Harding <sharding@oregon.uoregon.edu>, "Alexander B. Povolotsky" <tarkhil@synchroline.ru> Cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs Message-ID: <4.1.19981106115353.04ca84a0@127.0.0.1> In-Reply-To: <Pine.SGI.4.02.9811060908460.14551-100000@gutenberg.uoregon .edu> References: <199811061419.RAA01848@enterprise.sl.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
That's good advice, especially if the intruder has killed syslogd. --Brett At 09:10 AM 11/6/98 -0800, Sean Harding wrote: >On Fri, 6 Nov 1998, Alexander B. Povolotsky wrote: > >> *IMMEDIATLY* shut down both server and do not bring them to Internet until >> you'll found the reason. > >Actually, I recommend pulling it off the network, but not shutting it >down. If you have had an intrusion, shutting it down will destroy much of >the evidence (running processes, etc). You'll have a much harder time >determining what has been done. > >sean > >-- >Sean Harding sharding@oregon.uoregon.edu|"Remember how it all began >http://gladstone.uoregon.edu/~sharding/ | The apple and the fall of man" >Consulting: http://www.efn.org/~seanh/ | --Natalie Merchant > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19981106115353.04ca84a0>