Suppose you have found that an intrusion has occurred. What should you do?

Quick action is needed if you suspect a break-in. Run the who command or cat /var/log/secure and check the output. If you see a suspicious IP address, take the following actions:

By examining the ps output and looking at the tty value I could probably determine what programs they were running, if any. This might point to what they were trying to accomplish by getting into the system.

Obviously, if someone does get into your system, they most likely did it by guessing or somehow determining a password. I would probably reset all the passwords to something much harder to crack, and then inform my users to pick better ones. Or probably assign them myself.

Okay, so at least one person reading this is thinking why pull out the Ethernet wire? Why not just bring down the interface? Well, because a shrewd attacker is going to think of that, and as soon as he has access, he is going to put code on the system to automatically bring the interface back up if it goes down. He may even put a timer on it, or hide it in some other way.

It is possible that an attacker had time to do all kinds of things. He may have even been able to modify the who, ps, and other commands to make it almost impossible to track what he did (or is still doing) from the running system. With this in mind, you still need to shutdown asap and then boot up with a rescue disk or equivalent. Some of the things to look at are the commands such as ps and who. Run the file command, it should show them as being a binary executable and not a shell script. If they are shell scripts, you may discover the attacker has renamed the executable files with a . to hide them, and then wrapped them around a script to help cover up his presence. There are many other ways to hide as well.