Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: thegnome () NMRC ORG (Simple Nomad)
Date: Thu, 2 Mar 2000 09:53:32 -0600
On Wed, 1 Mar 2000, Drew Smith wrote:
Hey all, One of my clients had a cracker gain root on the webserver last night. The cracker installed what appears to be Linux Rootkit 4, and I'm diligently removing all of the binaries as we speak - but I'm not really willing to stop there. I'd like to create a honeypot of sorts; a chroot environment that looks and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it. My question is this: how far can I go while remaining legal? Is this entrapment? I really despise these kids - if you're going to hack my machines, at least show some prowess at it! They did, unfortunately, wipe the utmp and wtmp entries, remove themselves from all the logs, etc - so I don't really have too much to start from. The machine is running Redhat 3.0.3 (that's why they're my clients; I'm replacing that machine with an RH6.1 machine, hardened and optimized) with kernel 2.0.36. I'm thinking that I should reinstate the logins that the cracker added, chroot them to a look-alike filesystem, and track every step he takes. Any experts have any comments? Is this fully legal? Should I talk to the police now, or after I have the evidence? Anyone have any tips on removing the rootkit (non-obvious ones, I've got the rootkit sources and some experience with it)?
As a former Fortune 500 security administrator, whenever we would get a request for a honeypot, we'd shoot it down. There was always something else that needed attention, and you could get more "bang for your buck" by spending time on other things. This was besides the possible legal issues. If you reinstate the logins that the cracker added, you have essentially said 1) further access is invited, thereby giving the cracker's attorneys some excellent reasons to say they were welcomed, and 2) the fact that you reinstate them might give reason to suggest that the first intrusion was welcomed. I am not an attorney but I certainly would consider those points. Attorneys at former employers pointed these things out to me. All you can do is hope that you can gain enough information from the honeypot to validate any existing forensic data you have collected. The honeypot data itself cannot be considered actual intrusion data. And if they break out of your chrooted environment and rm you, forget it. You invited them in, and a good defense attorney would use that against you. Normal crime prevention techniques for car theft, for example, state that you should try and make your car less vulnerable than someone else's car - don't leave the keys in, lock the doors, use a car alarm, etc. And certainly leave the investigations and sting operations up to professional law enforcement. However due to the ownership mentality that is probably due to the immediacy and customizability of the personal computer, sys admins have a sense of ownership that suggests they can 1) conduct their own investigations, 2) successfully maintain a safe legal standpoint during their investigation, and 3) the police/DA will happily assume all evidence presented has not been tainted and is legally admissible in court. If you are going to pursue it, involve the police before you do anything, but expect them to not participate (at least to your level of satisfaction) due to case workload, lack of computer expertise, low monetary loss, and (as it sounds in your case) lack of existing hard evidence pointing to the intruder. - Simple Nomad - No rest for the Wicca'd - - thegnome () nmrc org - www.nmrc.org - - thegnome () razor bindview com - razor.bindview.com -
Current thread:
- getting to the point with DDoS, (continued)
- getting to the point with DDoS thomas lakofski (Mar 02)
- Re: getting to the point with DDoS Ryan Russell (Mar 05)
- Re: getting to the point with DDoS thomas lakofski (Mar 07)
- getting to the point with DDoS thomas lakofski (Mar 02)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)