So I am looking at the logs from this deeply 0wned Linux box and not finding any signs of how it was broken info - I am looking for a few days back from the moment it was discovered. As a result, I am puzzled. What's the next step? I am looking a bit more into the past, and then a bit more, and then 2 months more (!) and then - oops! - I run out of logs. Logrotate, thanks bitch! :-) What we have here is a system that has "root" logins from .ro domains for as long as the eye can see. Case closed!
Folks, don't get into such situations - retain the logs for longer! Disk space is cheap, but the creativity that you need when analyzing an intrusion with no evidence is expensive ...
Possibly related posts:
No comments:
Post a Comment