> It doesn't seem to have been mentioned on the forums, which is alarming
Really?
>> Best thing to do when dealing with this kind of stuff is disconnect the network, cold reboot off a livecd and and go from there.
>> That means that they got root.
You can't clean that up, its a reinstall. [...]
If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that's where the interesting stuff will be.
Really?
>> Best thing to do when dealing with this kind of stuff is disconnect the network, cold reboot off a livecd and and go from there.
>> That means that they got root. You can't clean that up, its a reinstall. [...] If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that's where the interesting stuff will be.