Finding how a hacked server was hacked

Posted by sixtyfootersdude on Server Fault See other posts from Server Fault or by sixtyfootersdude
Published on 2011-01-03T12:04:53Z Indexed on 2011/01/03 12:55 UTC
Read the original article Hit count: 295

I was just browsing through the site and found this question: My server's been hacked EMERGENCY. Basically the question says: My server has been hacked. What should I do?

The best answer is excellent but it raised some questions in my mind. One of the steps suggested is to:

Examine the 'attacked' systems to understand how the attacks succeeded in compromising your security. Make every effort to find out where the attacks "came from", so that you understand what problems you have and need to address to make your system safe in the future.

I have done no system admin work so I have no idea how I would start doing this. What would be the first step? I know that you could look in the server log files but as an attacker the first thing that I would do would be errasing the log files. How would you "understand" how the attacks succeeded?

© Server Fault or respective owner

Related posts about security

Related posts about intrusion-cleanup