In this article I am examining the /var/log/auth.log file for any indication of what/what/when my server may have been compromised.

{jcomments on}

Recently I had opportunity to work on a security problem. One firewall cluster member had failed and needed to be rebuilt. While typically not an issue, an additional challenge was that the software in use was so old, it was no longer available. In the end, it was absolutely necessary to use this old software as an entire environment was built with it. Eventually we were able to find a copy of the software and major disaster was averted, but it made me wonder if maybe, just maybe, are we doing them a DISservice by providing it?

This software has documented vulnerabilities, and because it is so old and no longer supported, these vulnerabilities will NOT be patched or fixed.

Now that I have finally managed to get my old HDD mounted, it is time to actually start getting my data off, keeping what I want for analysis, formatting the drive, and getting just my data back on.

What's worth keeping? What isn't needed? I tried looking into a few things, but there was very little to really go on. So how do I gather the files I need for analysis, while being able to otherwise keep my data, and reformat the drive?

At this point I have managed to get the old HDD mounted and working on my test server and I got all the data off. Now I need to reformat the drive to ensure nothing is left, and get just my data back on so I can use it for my dedicated internal server, and once again have access to my data. Here's how I went about doing so.

My webserver didn't start out as a dedicated webserver. It started off as a bit pf a home server to which we can back some stuff up against. Silly me then went and added webserver capabilities to this. In retrospect that was a rather dumb idea... But you learn from your mistakes, and I certainly have with this.

But now that the hard drive has been pulled (and the server rebuilt), how do I get my data off? In a perfect world with unlimited resources, this is a non-issue. But what to do with only existing resources? A bootable Linux CD/DVD is the first thing to come to mind, but it wound up being less simple than I imagined...