Network at MIT: Recovering from a Network Break-in

If you have determined that your system has been attacked, and hackers have gained access, there are a number of steps you need to take to return your system to a trusted and secure state:

  1. Contact, especially if there is a possibility of regulated data on the machine.
  2. Completely re-install your system from known-to-be-good media. You can't trust that your machine is not riddled with hacker-installed back doors or sniffers.
  3. Go to the CERT website and check for any vendor advisories concerning your version of the operating system; apply all relevant patches.  
  4. All users of the affected system must change their passwords
  5. Don't make connections into or out of the affected machine. Kerberized telnets only.
  6. Expend the effort to ensure your machine is secure. Notify other system administrators, if you can easily identify them, so that they can correct problems.
  7. Send any log files found on a compromised machine may be of interest to the Network Team. Always assume that your traffic is being sniffed (because it probably is), and act to make your machine secure.

Start with the README.athena file. This readme assumes you are installing on an Athena workstation. However, you should get the idea of what needs to be done. You will need to get a srvtab for each of the machines.