[Dshield] Interesting Zombie Data Graphs

MaXX bs139412 at skynet.be
Sat Nov 12 01:54:51 GMT 2005

On Friday 11 November 2005 22:21, Chris Brenton wrote:
> On Fri, 2005-11-11 at 18:49 +0100, MaXX wrote:
> > Let's say: reading my morning logs, I notice that my system has been
> > compromised; I take the machine offline, find the vector and jump on my
> > backups. Then I restore the machine in the last good state, and patch the
> > system and disable the component involved in the intrusion. I could get
> > in trouble for that wheather I've checked or not what's the actual
> > content dropped/hidden on the machine?
> I do not represent law enforcement. With that said, I doubt you would
> get in trouble for _unknowingly_ destroying potential evidence. In the
> situation you describe above, there is no knowledge of what was done to
> the system or the existing content. You are simply following standard op
> procedure for restoring after a compromise.
Thanks Chris for your answer, anyway I'll check that on Monday with the 
Belgian Federal Computer Crime Unit... 
If needed have our(my) procedure changed.


More information about the list mailing list