[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Hosting Provider Refuses to Share Server Logs - How to Proceed?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Hosting Provider Refuses to Share Server Logs - How to Proceed?
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Tue, 02 Aug 2005 09:48:54 -0400

I've never dealt with an intrusion before, but I am the tech for the


That's all you need to say.

The server logs probably won't tell you exactly what happened, and it doesn't matter anyway. ANYTIME you have a hack, regardless of how trivial, you rebuild from scratch.

Why? Because you'll never know what was left behind. I've been doing post-mortum analysis of hacked boxes for years, and I still don't trust my own abilities to find everything -- thus they all get rebuilt offline, and nothing that's executable (directly or otherwise), and no config files get restored.

More specifics on the exact config, and we can give links on how to secure the next install (eg: what httpd, what O/S, etc.).

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Hosting Provider Refuses to Share Server Logs - How to Proceed?
  - From: Michael Ströder

References:
- [Full-disclosure] Hosting Provider Refuses to Share Server Logs - How to Proceed?
  - From: GeeEm

Prev by Date: Re: [Full-disclosure] RE: Getting a clue at Cisco
Next by Date: Re: [Full-disclosure] Hosting Provider Refuses to Share Server Logs - How to Proceed?
Previous by thread: [Full-disclosure] Hosting Provider Refuses to Share Server Logs - How to Proceed?
Next by thread: Re: [Full-disclosure] Hosting Provider Refuses to Share Server Logs - How to Proceed?
Index(es):
- Date
- Thread