Linux Security HOWTO : What To Do During and After a Breakin : Security Compromise has already happened : Assessing the Damage
Previous: Closing the Hole
Next: Backups, Backups, Backups!

10.2.2. Assessing the Damage

The first thing is to assess the damage. What has been compromised? If you are running an Integrity Checker like Tripwire, you can use it to perform an integrity check, and should help to tell you. If not, you will have to look around at all your important data.

Since Linux systems are getting easier and easier to install, you might consider saving your config files and then wiping your disk(s) and reinstalling, then restoring your user files from backups and your config files. This will ensure that you have a new, clean system. If you have to backup files from the compromised system, be especially cautious of any binaries that you restore, as they may be Trojan horses placed there by the intruder.

Re-installation should be considered mandatory upon an intruder obtaining root access. Additionally, you'd like to keep any evidence there is, so having a spare disk in the safe may make sense.

Then you have to worry about how long ago the compromise happened, and whether the backups hold any damaged work. More on backups later.


Linux Security HOWTO : What To Do During and After a Breakin : Security Compromise has already happened : Assessing the Damage
Previous: Closing the Hole
Next: Backups, Backups, Backups!