Linux After Hacked?

[Tor]

How do you figure out how you were hacked and what IP hacked you after you have been hacked? I don't mean where you "think" you have been hacked but once your webpage says "Owned by..." or the data on your server is missing... What next? How do you identify how you were hacked?

Security seems like a big issue and I read about it all the time but I never read about what to do after you've been hacked. lol

[Jordan]

If you still have log files, check them! You'll spend hours pouring through them unless you know the exact time of the hack though.

[LissaValerian]

Quote:

Originally Posted by Jordan

If you still have log files, check them! You'll spend hours pouring through them unless you know the exact time of the hack though.

Exactly what Jordan said,

LOGS LOGS LOGS. Keep LOGS! Thats where your information will be. If you watch the logs and look through them closely, you'll see exactly what you need to see.

There are software applications out there that will analyze logs for you and keep a nice graph, etc., I can't remember what they are at the moment, since I just look at the logs themselves. Now I'm not just talking about software that analyzes bandwidth, I'm talking about software that analyzes for security. I worked with some students who were grads in computer science and I help them set up a security system for one of their projects that analyzed the network and logs for security breaches, etc. I can't think of the name of that particular bit of software for the life of me ....

But LOGS are the key. Keep them. :-)

[Jordan]

I know logwatch is a very good program to have and to have it email you every day with reports. Which reminds me, for some reason I haven't received my logwatch in a couple of days.