RE: what to do with a script kiddie

["Hamish Stanaway" <koremeltdown () hotmail com>]

Hi everyone,

I have my own opinion on this matter, along with forthcoming advice.
Personally, I think it would be an extremely dangerous action to join him on 
IRC - having been in the hot seat some time ago and now experiencing life 
from the security world, I know only too well how powerful a gatherer of 
information gathering tool an established IRC session can be to someone that 
has ""muscle" on an IRC server. You will frequently find that these 
"hackers" and even the "script kiddies" know the admins on the servers, so 
speaking with him is a very dangerous and in my opinion stupid thing to do - 
you already know what he has done, and that it is illegal (hacking IS a 
crime in most developed countries) - it doesn't matter why anymore.
Also, keep in mind that any machine he bounces through has its own countries 
set of laws he is breaking. If I was to bounce through 5 countries machines 
that I had hacked, and ALL considered hacking illegal, I would have broken 
the law in 5 countries - not just in my own and in the intended recipients 
country.
Your best bet is to contant your local law enforcement agency (in person, 
not over the phone - being in person makes you a lot more credible) and let 
them know that you have a "hacker" activly bouncing through your machine and 
ask them if they wished to monitor his activities also to make an easy 
prosecution - most legal agencies will jump over this like crazy.
Also, bringing in some printed out documents of his activities etc will get 
them interested. Dont give them all the information e.g. the passwords up 
front or they may think they have the case sown up and just go after him 
freelance, in which they may have less of a chance than if they did monitor 
him with you.
Also, make sure you are talking to someone higher up the food chain... 
Refuse to talk details with the person at the customer services counter... 
BOOK AN APPOINTMENT with someone up high, that way you are going to more 
likely have your case solved.
The minute you let him know you are there he will act on extremes, either 
attacking you, or running so far you will never get another shot at him - 
trust me, I've been there.
So if you wish to get this guy stopped (I would suggest this is the best 
thing, this guy wont stop unless he is stopped) then this is how I would go 
about it.
Oh, and remember, any client in the USA whom he has hacked through your 
friends box and is using to attack another is liable for prosecution should 
a company act on the scanning / attacks, so act fast - the last thing you 
need is to have not so nice calls when all you were trying to do was take 
one bad guy off the block.
Good luck to catching this guy, nail him!


Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com




> From: carnack <carnack () gmx net>
> To: honeypots () securityfocus com
> Subject: what to do with a script kiddie
> Date: Sat, 4 Jun 2005 10:44:33 +0200
> MIME-Version: 1.0 (Apple Message framework v622)
> Received: from outgoing.securityfocus.com ([205.206.231.26]) by 
> mc5-f14.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Sat, 4 Jun 2005 
> 05:26:02 -0700
> Received: from outgoing.securityfocus.com by outgoing.securityfocus.com     
>      via smtpd (for mail.hotmail.com [65.54.252.99]) with ESMTP; Sat, 4 
> Jun 2005 05:26:02 -0700
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with SMTP id 
> 3DA2C152D3Dfor <koremeltdown () hotmail com>; Sat,  4 Jun 2005 06:07:06 -0600 
> (MDT)
> Received: (qmail 10160 invoked by alias); 4 Jun 2005 12:59:52 -0000
> Received: (qmail 18482 invoked from network); 4 Jun 2005 09:19:17 -0000
> X-Message-Info: 6sSXyD95QpXnG2C6j+uEegDsYMZQxAUx7LCCdRBQ5HQ=
> Mailing-List: contact honeypots-help () securityfocus com; run by ezmlm
> Precedence: bulk
> X-No-Archive: yes
> List-Id: <honeypots.list-id.securityfocus.com>
> List-Post: <mailto:honeypots () securityfocus com>
> List-Help: <mailto:honeypots-help () securityfocus com>
> List-Unsubscribe: <mailto:honeypots-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:honeypots-subscribe () securityfocus com>
> Delivered-To: mailing list honeypots () securityfocus com
> Delivered-To: moderator for honeypots () securityfocus com
> X-Authenticated: #1259847
> X-Mailer: Apple Mail (2.622)
> X-Y-GMX-Trusted: 0
> X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on 
> mail.securityfocus.com
> X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS 
> autolearn=failed version=3.0.0-r20550
> X-Spam-Level: Return-Path: 
> honeypots-return-3377-koremeltdown=hotmail.com () securityfocus com
> X-OriginalArrivalTime: 04 Jun 2005 12:26:02.0974 (UTC) 
> FILETIME=[928FC7E0:01C56900]
>
> Hi,
> I was operating my honeynet successfully over some days. I "catched"  an 
> intruder and monitored him closely for about 11 days. He was not very 
> skilled, the term "script kiddy" fits the bill. I got some IPs of his 
> copromised attack hosts and a lot of his passwords, for example his 
> CSERVICE IRC password. I wonder what to do with that information now, as 
> the intention of my study was my diploma thesis. Should I "snatch" his IRC 
> channels and expose him? What have you done after getting such information? 
> I am really interested in your experiences.
> yours
> Christian
>
> P.S. roo is a breeze!