Security Incidents mailing list archives

Re: Cracked; rootkit - entrapment question?

From: Nathan.Lison () FORTJAMESMAIL COM (Lison, Nathan)
Date: Thu, 2 Mar 2000 10:59:10 -0500


I really don't think the police would do anything about this incident
anyway.  Thousands of hacks are preformed each day and the attackers rarely
get busted.  If they didn't destroy your system I don't see what is wrong,
it is there  way of showing you that you need to secure your system.  Maybe
try a differant distro of linux.

Nate Lison
nathan.lison () fortjamesmail com

-----Original Message-----
From: Drew Smith [mailto:drew () PCTC COM]
Sent: Wednesday, March 01, 2000 12:24 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Cracked; rootkit - entrapment question?

        Hey all,

        One of my clients had a cracker gain root on the webserver last
night.

        The cracker installed what appears to be Linux Rootkit 4, and I'm
diligently removing all of the binaries as we speak - but I'm not really
willing to stop there.

        I'd like to create a honeypot of sorts; a chroot environment that
looks
and feels like the machine, and that allows the cracker to do everything
he normally would want to from the shell.  I'd like to log everything to
another machine, and get the police in on it.

        My question is this:  how far can I go while remaining legal?  Is
this
entrapment?  I really despise these kids - if you're going to hack my
machines, at least show some prowess at it!  They did, unfortunately,
wipe the utmp and wtmp entries, remove themselves from all the logs, etc
- so I don't really have too much to start from.

        The machine is running Redhat 3.0.3 (that's why they're my clients;
I'm
replacing that machine with an RH6.1 machine, hardened and optimized)
with kernel 2.0.36.  I'm thinking that I should reinstate the logins
that the cracker added, chroot them to a look-alike filesystem, and
track every step he takes.

        Any experts have any comments?  Is this fully legal?  Should I talk
to
the police now, or after I have the evidence?  Anyone have any tips on
removing the rootkit (non-obvious ones, I've got the rootkit sources and
some experience with it)?

        Anything's welcome,

        Cheers,
        - Drew.

Current thread:

Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
    - Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
    - Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
    - Mail Server attack Joel Michael (Mar 07)
    - Re: Mail Server attack Omachonu Ogali (Mar 08)
    - Re: Mail Server attack Joel Michael (Mar 08)
    - Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
    - Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Lison, Nathan (Mar 02)
- Re: Cracked; rootkit - entrapment question? Adam Pendleton (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Roy Wilson (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 03)
- Re: Cracked; rootkit - entrapment question? Lison, Nathan (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 04)
- Re: Cracked; rootkit - entrapment question? Hal Lockhart (Mar 15)
- Re: Cracked; rootkit - entrapment question? Bob (Mar 15)

(Thread continues...)