Re: Cracked; rootkit - entrapment question?

[thalakan () TECHNOLOGIST COM (Jason Spence)]

Drew Smith wrote:

> I'd like to create a honeypot of sorts; a chroot environment that looks
> and feels like the machine, and that allows the cracker to do everything
> he normally would want to from the shell.  I'd like to log everything to
> another machine, and get the police in on it.

Funny, I had exactly the same idea Monday night.  I'm even writing a paper
on how to make the fake environment indistinguishable from the true one.
Involves system-level patches to make it foolproof to really bright people,
I'm afraid :( Gonna have to patch the syscall mechanism and IP stack to deal
with separating the real and fake connections properly, too.  I'm not sure
I'm up to that level of work so I can fool an additional 0.01% of the
potential intruders.

Someone's probably already thought of this, but I think a good mechanism to
trigger the dummy environment is as simple as replacing /bin/sh with the
dummy and sticking the real shell somewhere else, as opposed to patching
login and doing it by the user account.  Since I make a custom distro for
some of my servers, and those servers perform dedicated tasks, it was easier
than I thought.  I just did a couple variations on find | xargs grep
'/bin/sh'  in the source tree and found it hardcoded in a few places (can
someone PLEASE explain to me why perl does a system(csh) in places???).
I've seen a lot of shellcode in buffer exploits that assumes that there IS a
/bin/sh, but I'm sure there's all sorts of work to do to make sure you don't
accidently trigger the fake environment for real users and you do for all
the wacky stuff the bad guys are trying.

> My question is this:  how far can I go while remaining legal?  Is this
> entrapment?  I really despise these kids - if you're going to hack my
> machines, at least show some prowess at it!  They did, unfortunately,
> wipe the utmp and wtmp entries, remove themselves from all the logs, etc
> - so I don't really have too much to start from.

I'm going to ask the lawyers at work as soon as I have working code.  I
really have no idea, except some vague notion that it has to do with prior
intent and coercing the bad guys into doing something naughty that they
wouldn't have done ordinarily.  I figure if my dummy environment doesn't
look like some dork set up a non-password-protected root account and there
IS some cracking involved to get "root" in the chroot()ed dummy environment,
I should be ok.  I'm not sure if this is a plus or a minus to the open
source way of doing things, but I've found it to be trivial to get older,
vunerable versions of system utilities to stick in the dummy environment.

> The machine is running Redhat 3.0.3 (that's why they're my clients; I'm
> replacing that machine with an RH6.1 machine, hardened and optimized)
> with kernel 2.0.36.  I'm thinking that I should reinstate the logins
> that the cracker added, chroot them to a look-alike filesystem, and
> track every step he takes.

About making the dummy filesystem realistic: you can (on my test machines,
at least...) mount /proc in the dummy filesystem readonly, regardless of
whether it's already mounted in /proc.  You can patch mount and umount to
ignore the /proc filesystem and the fake fstab if you think they're bright
enough to do a mount /proc -o remount if they're playing with the sysctl
files.  You could also just copy all the real /proc files to the fake
/proc.  The only disadvantage to this is that the /proc directories don't
update every time processes change, but there's usually, like, 50
directories in there and the people I've asked say they wouldn't notice if
it didn't change.  Mine doesn't want to copy /proc/kmsg for some reason, and
I'm wary of copying /proc/kcore to the fake /proc as well.  dd
if=/dev/random of=kcore, maybe?

>         Any experts have any comments?  Is this fully legal?  Should I talk to
> the police now, or after I have the evidence?  Anyone have any tips on
> removing the rootkit (non-obvious ones, I've got the rootkit sources and
> some experience with it)?

I got rooted a couple times two years ago by a mountd vunerability and a
pop3 server vunerability.  When I called up the FBI field office, they blew
me off because the losses were <$10,000 and there wasn't much evidence to
speak of.  I really screamed and yelled and pulled out the syslogs and waved
them around, but they still said that there wasn't a good case and they had
more important things to do.  *sigh*  I hope things have gotten better in
the last couple years.

 - Jason