1. Get that computer disconnected from any network immediately - especially from the Internet 2. Do not do anything with it. If you mess around with the computer you can't use the hard drive's contents to prove anything in court because there's the possibility that you "tampered with the evidence" 3. I suggest using dd to make an image of the disk on a second hard drive. Then do your investigating on the image. 3. Consult a Swiss security expert or agency. Or maybe the Swiss police would know who to contact. At 08:34 AM 1/18/2002 -0800, you wrote:
Dear Admins
Our server has been hacked a few weeks ago (sshd 1.2.27 crc32 compensation attack/rootkit installed/visa- and mastercard scanned/irc relay installed/own sshd installed/ssh attack from tw/irc and logins from ro/lan sniffer installed/collected data sent to yahoo mail address).
As we are located in Switzerland, we do not have FBI or CIA to handle this.
Who should I contact: police, CERT@switch.ch, federal bureau of computer crime (if it exist?)
How do you handle hacker attacks: after cleaning your computers you fall back into normal operation or do you have the gouvernment/big boss/... informed?
How should I react on this attack?
I hope somebody has already made some experience with swiss laws.
Yours
Andreas (genesis_xix@yahoo.com)
__________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com