We had a report in yesterday that one of our servers had been compromised.

True to form I've got no experience of incident management (compromised machines) and my boss was out all day. So I got left with the authority but not the brains. The proceedure we have for 'incidents' are quite general and not a lot of help.

The machine that was suspected of being hacked was a citrix boxed used to access a finance application. The application tech was working on the machine as it had been getting a bit unstable on checking the logs he found attempted logins on the local administrator user and as several other usernames some of which do not exist.

The tech who reported the incident is known as a bit of a 'drama queen' who loves a good incident and would play it up as much as possible. On speaking with the head of our infrastructure team she played down the incident as much as possible pretty much regarding it as a non-event.

Some of the items produced as evidence of a compromise I was able to dismiss quite quickly but not the local admin attempts.

I asked for the box to be taken off of the network immediately and for a copy of the logs to be made and sent to me. The Applications tech is trawling the logs to try to narrow down a date/time for the occurrance of any attempts to get access and it going to pass these to out firewall chap who will then try to find corroberating evidence within the firewall logs.
He is also going to check the other citrix boxes on the network for evidence of tampering.

Infrastructure keep things quite tight round here we are behind heavy firewalls and other point of entry are tightly controlled, the applications and development teams are known to be more 'relaxed' with security.

(Just had a thought we had a pen test two weeks ago....)

Boss is back today and there is going to be an emergence meeting of the various groups.

Did I do ok?
What should I have done differently?