When a server gets rooted, should I disconnect network or power?
Posted
by
Aleksandr Levchuk
on Server Fault
See other posts from Server Fault
or by Aleksandr Levchuk
Published on 2011-01-03T20:36:55Z
Indexed on
2011/01/03
20:55 UTC
Read the original article
Hit count: 301
When a server gets rooted (e.g. a situation like this), one of the first things that should be done is containment. Quoting from Robert Moir's Answer:
"disconnect the victim from its muggers"
A server can be contained by pulling the network cable or the power cable.
Taking into consideration the need for:
- Protecting victims from further damage
- Executing successful forensics
- (Possibly) Protecting valuable data on the server
Which method is better?
© Server Fault or respective owner