1. Dont panic!

2. If not absolutely necessary DO NOT SHUTDOWN THE AFFECTED SERVER YET!, as this will hinder possible investigation. (Suggest disconnecting from network as an alternative. Information about open connection should be collected before disconnecting the server.)

3. Try to find out:

• What happened?
  
• When this happened?
  
• Where did this happen (where are the computers?)
  
• How was the incident noticed? by whom?
  

4. Collect:

• Logfiles from firewalls, IDS’ses and affected servers
  
• List of processes running on the server
  
• List of open connections on the server
  
• Partition and RAID Array configuration information of the server.

NOTE COMMANDS RUN ON SERVER SHOULD BE EXECUTED FROM A KNOWN GOOD SOURCE SUCH AS A CD. RUN AS FEW COMMANDS AS POSSIBLE AS THIS TOO MIGHT AFFECT THE EVIDENCE AVAILABLE FROM THE SERVER.

5. Contact people responsible about the server
(system administrator etc.)

6. Contact people with sufficient authority to make decisions about financial losses regarding the server shutdown

7. Contact Incidence Responce Team

If the server must be shutdown immediately the following steps should be taken in addition to the ones listed above:

1. The memory of the server should be dumped to a file on another computer by using dd and netcat commands

2. The swap drive content of the server should be dumped to a file on another computer by using dd and netcat commands

3. Shutdown the server by switching the power off. (i.e. No normal shutdown procedures!)

Got a question?

Do not hesitate to ask us!
Contact details

• Security services
• Publications
• Nixu Ltd
• Join Nixu
• Contact information
• Blog (Finnish)