Linux Security HOWTO : What To Do During and After a Breakin : Security Compromise has already happened : Tracking Down the Intruder.
Previous: Backups, Backups, Backups!
Next: Security Sources

10.2.4. Tracking Down the Intruder.

Ok, you have locked the intruder out, and recovered your system, but you're not quite done yet. While it is unlikely that most intruders will ever be caught, you should report the attack.

You should report the attack to the admin contact at the site from which the attacker attacked your system. You can look up this contact with whois or the Internic database. You might send them an email with all applicable log entries and dates and times. If you spotted anything else distinctive about your intruder, you might mention that too. After sending the email, you should (if you are so inclined) follow up with a phone call. If that admin in turn spots your attacker, they might be able to talk to the admin of the site where they are coming from and so on.

Good crackers often use many intermediate systems, some (or many) of which may not even know they have been compromised. Trying to track a cracker back to their home system can be difficult. Being polite to the admins you talk to can go a long way to getting help from them.

You should also notify any security organizations you are a part of (CERT or similar), as well as your Linux system vendor.


Linux Security HOWTO : What To Do During and After a Breakin : Security Compromise has already happened : Tracking Down the Intruder.
Previous: Backups, Backups, Backups!
Next: Security Sources