Pull network or power? (for contianing a rooted server)
Posted
by
Aleksandr Levchuk
on Server Fault
See other posts from Server Fault
or by Aleksandr Levchuk
Published on 2011-01-03T20:36:55Z
Indexed on
2011/01/05
19:55 UTC
Read the original article
Hit count: 222
When a server gets rooted (e.g. a situation like this), one of the first things that you may decide to do is containment. Some security specialists advise not to enter remediation immediately and to keep the server online until forensics are completed. Those advises are usually for APT. It's different if you have occasional Script kiddie breaches. However, you may decide to remediate (fix things) early and one of the steps in remediation is containment of the server. Quoting from Robert Moir's Answer - "disconnect the victim from its muggers".
A server can be contained by pulling the network cable or the power cable.
Which method is better?
Taking into consideration the need for:
- Protecting victims from further damage
- Executing successful forensics
- (Possibly) Protecting valuable data on the server
Edit: 5 assumptions
Assuming:
- You detected early: 24 hours.
- You want to recover early: 3 days of 1 systems admin on the job (forensics and recovery).
- The server is not a Virtual Machine or a Container able to take a snapshot capturing the contents of the servers memory.
- You decide not to attempt prosecuting.
- You suspect that the attacker may be using some form of software (possibly sophisticated) and this software is still running on the server.
© Server Fault or respective owner