Take an Ignite backup of the entire system. That is a valid snapshot that you can turn in to authorities.
Change the root password.
Get a notice to all users that their passwords are going to change.
passwd -f every user on the system.
Now all user priviledges are secure.
Check /etc/passwd
Are there any new users created by root or users with uid zero. Get rid of them.
Check the btmp and wtmp files with lastb
... go crazy checking everything else ...
I think Pete is right. If you've truly been compromised, the only way to be sure you have a clean system is to roll vg00 back to a safe state. If the system is laid out correctly this hould not effect customer data or software installation. I do all that in vg01. I keep my systems in a constant state that can let me roll vg00 back months if need be without much effect on the user community other than password issues.
The thing is, before you lay down Ignite you need to figure out how you were compromised so you can get the Ignite tape with the right date and then take action to plug the hole.
Some things to consider:
Two thirds of compromises are from the inside. Disgruntled but way to smart employees, hackers that got menial jobs so they could work from the inside. People who did the old over the shoulder in operations when the looked up the root password. Stuff like that.
Actions part ii.
get Batille
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA and install it on your system.
Get a copy of the book Practical Unix and Internet Security by Farfinkel and Spaford and read it. Implement what it recommends.
If there is money in the budget attend HP's Practial Network Security Course and its Internet Security Course.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
