Security Incidents mailing list archives

Re: Cracked; rootkit - entrapment question?

From: jlewis () LEWIS ORG (Jon Lewis)
Date: Fri, 3 Mar 2000 00:29:10 -0500


On Wed, 1 Mar 2000, Drew Smith wrote:

      I'd like to create a honeypot of sorts; a chroot environment that looks
and feels like the machine, and that allows the cracker to do everything
he normally would want to from the shell.  I'd like to log everything to
another machine, and get the police in on it.


It's probably not worth the effort.  Unless the hacker is local to your
area, the local police can't do much about it.  If you and he
are both "somewhere" in the US, then you probably want to be talked to the
FBI...but they won't investigate unless the United States Attorney's
office says to.  They won't likely give the go ahead unless there has
already been a certain dollar amount of damage done.  IIRC, it's $10,000.

Breaking into and operating from your "honey pot" system is ilegal...but
where's the damage?  If you want to do this just so you can start tracking
the hacker, then it may be worth setting something up.  You probably don't
need to run it very long though.  The ones I've encountered generally
install the same backdoors, so once you know what they are and where they
hacked you from, you can use their backdoors to track them through a few
systems until you know where they're coming from.

Unless you already can show sufficent damage to get the interest of the
FBI and AUSA, then all this work will likely be pointless.  If you do find
other systems cracked by the same person, you might be able to get
together with all the owners of the hacked systems and show a combined
total of X dollars damage and get the FBI's and AUSA's attention.  You may
find that some are out of the country (FBI won't/can't talk to them), some
don't really care, and some don't want to publicly admit they were hacked
and won't be interested in prosecution.

If you and the hacker are in different countries, I have no idea what if
any legal action you can pursue.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________

Current thread:

Re: getting to the point with DDoS, (continued)
- - - Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
  - E-mail attatchment xum mux (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
  - Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
    - Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
    - Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
    - Mail Server attack Joel Michael (Mar 07)
    - Re: Mail Server attack Omachonu Ogali (Mar 08)
    - Re: Mail Server attack Joel Michael (Mar 08)

(Thread continues...)