Classnotes | UNIX03 | RecentChanges | Preferences If you are physically present when an attack is happening and doing the following will not adversly affect any bussiness transactions, simply unplug the NIC until you can figure out what the intruder did and secure the box. Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box.
If you really want to fix the compromise quickly, you should remove the compromised host from your network and re-install the operating system from scratch. This might not have any effect if you do not know how the intruder got root. In this case you must check everything: firewall/file integrity/loghost logfiles and so on. For more information on what to do following a break-in, see