Honeypots mailing list archives
Re: what to do with a script kiddie
From: Damian Menscher <menscher () uiuc edu>
Date: Sat, 4 Jun 2005 12:23:32 -0500 (CDT)
On Sat, 4 Jun 2005, carnack wrote:
I was operating my honeynet successfully over some days. I "catched" an intruder and monitored him closely for about 11 days. He was not very skilled, the term "script kiddy" fits the bill. I got some IPs of his copromised attack hosts and a lot of his passwords, for example his CSERVICE IRC password. I wonder what to do with that information now, as the intention of my study was my diploma thesis. Should I "snatch" his IRC channels and expose him? What have you done after getting such information? I am really interested in your experiences.
I had a similar experience, where I monitored an intruder for about two weeks. In my case, he was using my machine[1] to jump to other boxes, so I was able to capture plenty of information on passwords, DoS tactics, etc. I notified several sites that they'd been compromised (some didn't believe me, which was interesting). After tracing the intruder back to a dialup account in Australia, and chatting with him online (which provoked a DoS attack) I offered the information to the FBI. They didn't care, even after I pointed out that one of the websites he'd broken into may have contained credit card numbers. It's just not worth their time to track down kids in foreign countries.
One caution: it may be amusing to change his passwords so he loses access to his compromised machines, but doing so may actually be illegal (not that anyone would prosecute). So informing the admins is probably the best thing to do. Just be sure to do it using an outside channel (he might be reading their email).
[1] This wasn't really "my" machine, and it wasn't set up as a honeypot. It was a user's home machine that had been compromised, and could afford the downtime of not being reinstalled right away. Since it was on a relatively slow connection, it was only used as a jumping point, not for scanning, so it didn't pose a threat to the outside world to leave it online.
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=-
Current thread:
- what to do with a script kiddie carnack (Jun 04)
- Re: what to do with a script kiddie David Jiménez Domínguez (Jun 04)
- Re: what to do with a script kiddie carnack (Jun 04)
- Re: what to do with a script kiddie Sebastian Garcia (Jun 06)
- Re: what to do with a script kiddie carnack (Jun 04)
- Re: what to do with a script kiddie Damian Menscher (Jun 04)
- <Possible follow-ups>
- RE: what to do with a script kiddie Stejerean, Cosmin (Jun 04)
- Re: what to do with a script kiddie ilaiy (Jun 04)
- Re: what to do with a script kiddie Lance Spitzner (Jun 04)
- Re: what to do with a script kiddie MrDemeanour (Jun 05)
- Re: what to do with a script kiddie Dave Dittrich (Jun 06)
- Re: what to do with a script kiddie MrDemeanour (Jun 06)
- Re: what to do with a script kiddie Dave Dittrich (Jun 06)
- Re: what to do with a script kiddie Andre Ludwig (Jun 06)
- Re: what to do with a script kiddie David Jiménez Domínguez (Jun 04)
- Re: what to do with a script kiddie David Jiménez Domínguez (Jun 06)