When a server gets rooted, should I disconnect network or power?

Posted by Aleksandr Levchuk on Server Fault See other posts from Server Fault or by Aleksandr Levchuk
Published on 2011-01-03T20:36:55Z Indexed on 2011/01/03 20:55 UTC
Read the original article Hit count: 301

When a server gets rooted (e.g. a situation like this), one of the first things that should be done is containment. Quoting from Robert Moir's Answer:

"disconnect the victim from its muggers"

A server can be contained by pulling the network cable or the power cable.

Taking into consideration the need for:

  1. Protecting victims from further damage
  2. Executing successful forensics
  3. (Possibly) Protecting valuable data on the server

Which method is better?

© Server Fault or respective owner

Related posts about security

Related posts about rootkit