Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: pauls () UTDALLAS EDU (Paul L Schmehl)
Date: Thu, 2 Mar 2000 09:43:43 -0600
IANAL, but how can it be entrapment? He has to break in to the machine before he gets tracked and logged. Even if you have a machine that's grossly misconfigured and wide open to hacking, that doesn't justify people hacking it. I say set it up, and let the script kiddie indict himself. --On 3/1/00, 10:23 AM -0800 Drew Smith <drew () PCTC COM> wrote:
Hey all, One of my clients had a cracker gain root on the webserver last night. The cracker installed what appears to be Linux Rootkit 4, and I'm diligently removing all of the binaries as we speak - but I'm not really willing to stop there. I'd like to create a honeypot of sorts; a chroot environment that looks and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it. My question is this: how far can I go while remaining legal? Is this entrapment? I really despise these kids - if you're going to hack my machines, at least show some prowess at it! They did, unfortunately, wipe the utmp and wtmp entries, remove themselves from all the logs, etc - so I don't really have too much to start from. The machine is running Redhat 3.0.3 (that's why they're my clients; I'm replacing that machine with an RH6.1 machine, hardened and optimized) with kernel 2.0.36. I'm thinking that I should reinstate the logins that the cracker added, chroot them to a look-alike filesystem, and track every step he takes. Any experts have any comments? Is this fully legal? Should I talk to the police now, or after I have the evidence? Anyone have any tips on removing the rootkit (non-obvious ones, I've got the rootkit sources and some experience with it)? Anything's welcome, Cheers, - Drew.
Paul L. Schmehl, pauls () utdallas edu Technical Support Services Manager The University of Texas at Dallas
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Jason Spence (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul Flores (Mar 02)
- getting to the point with DDoS thomas lakofski (Mar 02)
- Re: getting to the point with DDoS Ryan Russell (Mar 05)
- Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? Jason Spence (Mar 02)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)