Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: jlewis () LEWIS ORG (Jon Lewis)
Date: Fri, 3 Mar 2000 00:29:10 -0500
On Wed, 1 Mar 2000, Drew Smith wrote:
I'd like to create a honeypot of sorts; a chroot environment that looks and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it.
It's probably not worth the effort. Unless the hacker is local to your area, the local police can't do much about it. If you and he are both "somewhere" in the US, then you probably want to be talked to the FBI...but they won't investigate unless the United States Attorney's office says to. They won't likely give the go ahead unless there has already been a certain dollar amount of damage done. IIRC, it's $10,000. Breaking into and operating from your "honey pot" system is ilegal...but where's the damage? If you want to do this just so you can start tracking the hacker, then it may be worth setting something up. You probably don't need to run it very long though. The ones I've encountered generally install the same backdoors, so once you know what they are and where they hacked you from, you can use their backdoors to track them through a few systems until you know where they're coming from. Unless you already can show sufficent damage to get the interest of the FBI and AUSA, then all this work will likely be pointless. If you do find other systems cracked by the same person, you might be able to get together with all the owners of the hacked systems and show a combined total of X dollars damage and get the FBI's and AUSA's attention. You may find that some are out of the country (FBI won't/can't talk to them), some don't really care, and some don't want to publicly admit they were hacked and won't be interested in prosecution. If you and the hacker are in different countries, I have no idea what if any legal action you can pursue. ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| Spammers will be winnuked or System Administrator | nestea'd...whatever it takes Atlantic Net | to get the job done. _________http://www.lewis.org/~jlewis/pgp for PGP public key__________
Current thread:
- Re: getting to the point with DDoS, (continued)
- Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)