[Dshield] Interesting Zombie Data Graphs

MaXX bs139412 at skynet.be
Sat Nov 12 01:54:51 GMT 2005


On Friday 11 November 2005 22:21, Chris Brenton wrote:
> On Fri, 2005-11-11 at 18:49 +0100, MaXX wrote:
[...]
> > Let's say: reading my morning logs, I notice that my system has been
> > compromised; I take the machine offline, find the vector and jump on my
> > backups. Then I restore the machine in the last good state, and patch the
> > system and disable the component involved in the intrusion. I could get
> > in trouble for that wheather I've checked or not what's the actual
> > content dropped/hidden on the machine?
> I do not represent law enforcement. With that said, I doubt you would
> get in trouble for _unknowingly_ destroying potential evidence. In the
> situation you describe above, there is no knowledge of what was done to
> the system or the existing content. You are simply following standard op
> procedure for restoring after a compromise.
Thanks Chris for your answer, anyway I'll check that on Monday with the 
Belgian Federal Computer Crime Unit... 
If needed have our(my) procedure changed.

Thanks,
--
MaXX


More information about the list mailing list