Compromised System

From Atomicorp Wiki
Revision as of 13:30, 27 May 2007 by Scott (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Compromised System checklist

Abstract:

The following is a checklist of tasks to perform when a hosting system has been compromised, to ensure you have all the appropriate data to recover the system and ensure that it will not be compromised again. A key to rapid recovery is to use ASL to minimize the forensic investigation time required to recover. Ideally the specific exploits should be identified in advance, however given time constraints this might not be possible until later. The goal of this checklist is Rapid Recovery.


Preqreqs:

1 Backup server, to store 2 copies of data from the compromised system

1 Valid ASL subscription

Optional: Serial port/KVM console access

Optional: Rescue mode PXE image


 Step 1) Find out how the system was compromised
 


 Step 2) Back up data twice 
 On your backup host:
 rsync -av -e ssh root@<IP>:/ /backups/<IP>/
 On the compromised host:
 psadump/pleskbackup


Step 2) Reinstall the system

Step 3) Install

Personal tools