Security Incidents mailing list archives

Re: Cracked; rootkit - entrapment question?

From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Thu, 2 Mar 2000 07:04:32 -0500

      One of my clients had a cracker gain root on the webserver last night.

      The cracker installed what appears to be Linux Rootkit 4, and I'm
diligently removing all of the binaries as we speak - but I'm not really
willing to stop there.

      I'd like to create a honeypot of sorts; a chroot environment that looks
and feels like the machine, and that allows the cracker to do everything
he normally would want to from the shell.  I'd like to log everything to
another machine, and get the police in on it.

      My question is this:  how far can I go while remaining legal?  Is this
entrapment?  I really despise these kids - if you're going to hack my
machines, at least show some prowess at it!  They did, unfortunately,
wipe the utmp and wtmp entries, remove themselves from all the logs, etc
- so I don't really have too much to start from.


First off, you may have a tough time getting the police to investigate
your incident unless you have real good evidence it is someone in their
jurisdiction. Local police forces are coming up to speed, but most of
them tend to deal for computer child porn.

As for a Honeypot, if you have the rootkits then you should be able to
determine the backdoor passwords. Set up a second, identical box to
yours, with the original rootkits. Use a NAT device to send any highport
backdoor traffic to this other box. If you know the source IPs of the
hacker, use the NAT again to send all of his traffic to the other box.

Legally you can do almost anything you want to protect your network, but
as for collecting evidence of hackers, honeypots are not as well understood
by the legal system (case law, etc.) as firewall logs for instance.

You should also think about deploying an IDS of some sort if you don't
have one. There are many commercial and open source solutions available
and most have been advertised here in some aspect or another.

Ron Gula, CTO
Network Security Wizards
http://www.securitywizards.com

Current thread:

Cracked; rootkit - entrapment question? Drew Smith (Mar 01)
- Re: Cracked; rootkit - entrapment question? Robert Graham (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ron Gula (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Spence (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Paul Flores (Mar 02)
  - getting to the point with DDoS thomas lakofski (Mar 02)
    - Re: getting to the point with DDoS Ryan Russell (Mar 05)
    - Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
  - E-mail attatchment xum mux (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
  - Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)

(Thread continues...)