Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: Nathan.Lison () FORTJAMESMAIL COM (Lison, Nathan)
Date: Thu, 2 Mar 2000 10:59:10 -0500
I really don't think the police would do anything about this incident anyway. Thousands of hacks are preformed each day and the attackers rarely get busted. If they didn't destroy your system I don't see what is wrong, it is there way of showing you that you need to secure your system. Maybe try a differant distro of linux. Nate Lison nathan.lison () fortjamesmail com -----Original Message----- From: Drew Smith [mailto:drew () PCTC COM] Sent: Wednesday, March 01, 2000 12:24 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Cracked; rootkit - entrapment question? Hey all, One of my clients had a cracker gain root on the webserver last night. The cracker installed what appears to be Linux Rootkit 4, and I'm diligently removing all of the binaries as we speak - but I'm not really willing to stop there. I'd like to create a honeypot of sorts; a chroot environment that looks and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it. My question is this: how far can I go while remaining legal? Is this entrapment? I really despise these kids - if you're going to hack my machines, at least show some prowess at it! They did, unfortunately, wipe the utmp and wtmp entries, remove themselves from all the logs, etc - so I don't really have too much to start from. The machine is running Redhat 3.0.3 (that's why they're my clients; I'm replacing that machine with an RH6.1 machine, hardened and optimized) with kernel 2.0.36. I'm thinking that I should reinstate the logins that the cracker added, chroot them to a look-alike filesystem, and track every step he takes. Any experts have any comments? Is this fully legal? Should I talk to the police now, or after I have the evidence? Anyone have any tips on removing the rootkit (non-obvious ones, I've got the rootkit sources and some experience with it)? Anything's welcome, Cheers, - Drew.
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)