When You've Been Hacked

When an alert triggers, you need a plan.

1. Isolate: Block the IP via iptables.
2. Identify: Use lsof -i to see current network connections.
3. Preserve: Copy logs to a secure location for forensic analysis.
4. Restore: Redeploy from a known clean image in your CI/CD.