Re: what to do with a script kiddie

[Lance Spitzner <lance () honeynet org>]

On Jun 4, 2005, at 11:05, Stejerean, Cosmin wrote:

> You should join his IRC channels and try to have a conversation with 
> the
> guy, see where it goes.

Be careful before following such advice, I suggest you consider the 
following.

- Legal:  You want to understand and be sure you are adhering to the 
legal guidelines of your country and organization. These are different 
around the world.  A good starting point is the legal chapter in the 
"Know Your Enemy: 2nd Edition", which you can find online for free at 
http://www.honeynet.org/book/.

- Ethical: The second issue is one of ethics.  The Honeynet Research 
Alliance is in the process of reviewing and better documenting these 
issues in their charter, which you can find online now at 
http://www.honeynet.org/alliance/charter.txt.  The suggestion above 
would most likely violate current ethical guidelines.

Last, if you identify systems compromised or collect malware during 
your research, my recommendation is to forward that information to your 
local CERT and CM-CERT at http://www.cert.org.  This way your research 
benefits the entire community.

lance

> I was operating my honeynet successfully over some days. I "catched"
> an intruder and monitored him closely for about 11 days. He was not
> very skilled, the term "script kiddy" fits the bill. I got some IPs of
> his copromised attack hosts and a lot of his passwords, for example his
> CSERVICE IRC password. I wonder what to do with that information now,
> as the intention of my study was my diploma thesis. Should I "snatch"
> his IRC channels and expose him? What have you done after getting such
> information? I am really interested in your experiences.
> yours
> Christian