Originally posted here by whizkid2300
With the server still on. The attacker has access to it. They control the box.



Instead of pulling the network connection you say turn the power off? Wow good idea, that way if they put something in init to erase any trace of them it's gone!



It is better to drop a server for 3-5 hours to find out what's wrong with it, fix it and put it back up.
I don't think anyone is going to disagree with me that this is horrible advice at best. Root meaning they have root, back up whats needed and reformat. "Fixing" a box that could have been modified with a new backdoored ls and kernel...


And w and who do the same ****.
Uhhhh no they don't. Who lists who's on the machine and what they are using. W lists uptime and a more brief spot on what's being used.