Pull network or power? (for contianing a rooted server)

Posted by Aleksandr Levchuk on Server Fault See other posts from Server Fault or by Aleksandr Levchuk
Published on 2011-01-03T20:36:55Z Indexed on 2011/01/05 19:55 UTC
Read the original article Hit count: 222

When a server gets rooted (e.g. a situation like this), one of the first things that you may decide to do is containment. Some security specialists advise not to enter remediation immediately and to keep the server online until forensics are completed. Those advises are usually for APT. It's different if you have occasional Script kiddie breaches. However, you may decide to remediate (fix things) early and one of the steps in remediation is containment of the server. Quoting from Robert Moir's Answer - "disconnect the victim from its muggers".

A server can be contained by pulling the network cable or the power cable.

Which method is better?

Taking into consideration the need for:

  1. Protecting victims from further damage
  2. Executing successful forensics
  3. (Possibly) Protecting valuable data on the server

Edit: 5 assumptions

Assuming:

  1. You detected early: 24 hours.
  2. You want to recover early: 3 days of 1 systems admin on the job (forensics and recovery).
  3. The server is not a Virtual Machine or a Container able to take a snapshot capturing the contents of the servers memory.
  4. You decide not to attempt prosecuting.
  5. You suspect that the attacker may be using some form of software (possibly sophisticated) and this software is still running on the server.

© Server Fault or respective owner

Related posts about security

Related posts about rootkit