Recovering from a UNIX System Compromise (continued)... Analyze the intrusion 1. Look for modifications made to system software and configuration files 2. Look for modifications to data 3. Look for tools and data left behind by the intruder 4. Review log files 5. Look for signs of a network sniffer 6. Check other systems on your network 7. Check for systems involved or affected at remote sites 8. Use statically linked binaries from a Forensics Utilities Toolkit 9. Frequently hacked programs include binaries like ps and netstat Contact the relevant CSIRT and other sites involved 1. Incident Reporting 2. Contact the CERT Coordination Center 3. Obtain contact information for other sites involved