Monday, August 27, 2007

0wned - for as long as the eye can see ...

So I am looking at the logs from this deeply 0wned Linux box and not finding any signs of how it was broken info - I am looking for a few days back from the moment it was discovered. As a result, I am puzzled. What's the next step? I am looking a bit more into the past, and then a bit more, and then 2 months more (!) and then - oops! - I run out of logs. Logrotate, thanks bitch! :-) What we have here is a system that has "root" logins from .ro domains for as long as the eye can see. Case closed!

Folks, don't get into such situations - retain the logs for longer! Disk space is cheap, but the creativity that you need when analyzing an intrusion with no evidence is expensive ...

Possibly related posts:

Dr Anton Chuvakin