Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: thalakan () TECHNOLOGIST COM (Jason Spence)
Date: Thu, 2 Mar 2000 04:24:24 -0800
Drew Smith wrote:
I'd like to create a honeypot of sorts; a chroot environment that looks and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it.
Funny, I had exactly the same idea Monday night. I'm even writing a paper on how to make the fake environment indistinguishable from the true one. Involves system-level patches to make it foolproof to really bright people, I'm afraid :( Gonna have to patch the syscall mechanism and IP stack to deal with separating the real and fake connections properly, too. I'm not sure I'm up to that level of work so I can fool an additional 0.01% of the potential intruders. Someone's probably already thought of this, but I think a good mechanism to trigger the dummy environment is as simple as replacing /bin/sh with the dummy and sticking the real shell somewhere else, as opposed to patching login and doing it by the user account. Since I make a custom distro for some of my servers, and those servers perform dedicated tasks, it was easier than I thought. I just did a couple variations on find | xargs grep '/bin/sh' in the source tree and found it hardcoded in a few places (can someone PLEASE explain to me why perl does a system(csh) in places???). I've seen a lot of shellcode in buffer exploits that assumes that there IS a /bin/sh, but I'm sure there's all sorts of work to do to make sure you don't accidently trigger the fake environment for real users and you do for all the wacky stuff the bad guys are trying.
My question is this: how far can I go while remaining legal? Is this entrapment? I really despise these kids - if you're going to hack my machines, at least show some prowess at it! They did, unfortunately, wipe the utmp and wtmp entries, remove themselves from all the logs, etc - so I don't really have too much to start from.
I'm going to ask the lawyers at work as soon as I have working code. I really have no idea, except some vague notion that it has to do with prior intent and coercing the bad guys into doing something naughty that they wouldn't have done ordinarily. I figure if my dummy environment doesn't look like some dork set up a non-password-protected root account and there IS some cracking involved to get "root" in the chroot()ed dummy environment, I should be ok. I'm not sure if this is a plus or a minus to the open source way of doing things, but I've found it to be trivial to get older, vunerable versions of system utilities to stick in the dummy environment.
The machine is running Redhat 3.0.3 (that's why they're my clients; I'm replacing that machine with an RH6.1 machine, hardened and optimized) with kernel 2.0.36. I'm thinking that I should reinstate the logins that the cracker added, chroot them to a look-alike filesystem, and track every step he takes.
About making the dummy filesystem realistic: you can (on my test machines, at least...) mount /proc in the dummy filesystem readonly, regardless of whether it's already mounted in /proc. You can patch mount and umount to ignore the /proc filesystem and the fake fstab if you think they're bright enough to do a mount /proc -o remount if they're playing with the sysctl files. You could also just copy all the real /proc files to the fake /proc. The only disadvantage to this is that the /proc directories don't update every time processes change, but there's usually, like, 50 directories in there and the people I've asked say they wouldn't notice if it didn't change. Mine doesn't want to copy /proc/kmsg for some reason, and I'm wary of copying /proc/kcore to the fake /proc as well. dd if=/dev/random of=kcore, maybe?
Any experts have any comments? Is this fully legal? Should I talk to the police now, or after I have the evidence? Anyone have any tips on removing the rootkit (non-obvious ones, I've got the rootkit sources and some experience with it)?
I got rooted a couple times two years ago by a mountd vunerability and a pop3 server vunerability. When I called up the FBI field office, they blew me off because the losses were <$10,000 and there wasn't much evidence to speak of. I really screamed and yelled and pulled out the syslogs and waved them around, but they still said that there wasn't a good case and they had more important things to do. *sigh* I hope things have gotten better in the last couple years. - Jason
Current thread:
- Cracked; rootkit - entrapment question? Drew Smith (Mar 01)
- Re: Cracked; rootkit - entrapment question? Robert Graham (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ron Gula (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Spence (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul Flores (Mar 02)
- getting to the point with DDoS thomas lakofski (Mar 02)
- Re: getting to the point with DDoS Ryan Russell (Mar 05)
- Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)