On Wed, 2009-06-03 at 01:57 -0400, JohnS wrote: > On Wed, 2009-06-03 at 00:46 -0500, John R. Dennison wrote: > > On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote: > > > > > > It would be prudent to review his web code to see > > > if he did something in an insecure way. If his code > > > is open to attack, it will be so even if he puts it > > > on a new machine. > > > > Hence my statements to evaluate the web-apps he has running :) > > > > I will bet dollars to donuts he had a web app with a known issue > > that was not patched. Also goes back to my previous statement > > of fully patching. > > > --- > Dollars to Donuts ehhh??? > How many donuts you think it will take to pay for legal costs and clean > up if there are customer data on the machine? I think right about now I > would: > 1. Notify Risk Management and Your Compliancy Officer. > 2. Take it off the network connections. > 3. Do a live rsync and dd image + ram copy = running processes/hidden. > 4. Same as 3. but with the machine off. > 5. The company attorney needs to be notified. > 6. By State and Federal Law in the US you have so many days to report > incidents like this to users (customers) and law enforcement. If, by step 4, you mean remove the drive[1], stick it into USB enclosure, make a copy of it, then stick the original into a plastic bag in full view of a witness[2] then give it to them, I agree wholeheartedly[3]. I've been through this before and this is, IMHO[4] a safer way to operate. -I [1] Assuming no RAID. If you have RAID, you can go to a separate box and make a live backup via: goodhost# ssh badhost '(cat /dev/sda)' > badhost-sda.ddout [2] Your manager or corporate counsel will do in this example. Better if its both. [3] This does *NOT* constitute legal advice. Talk to your corporate counsel before taking action, as this may constitute a criminal matter. [4] See [3] above.