Security Incidents mailing list archives

Re: Cracked; rootkit - entrapment question?

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Thu, 2 Mar 2000 00:10:44 -0800


This is an old question. Entrapment laws change from state to state in the
U.S., but all of them are pretty consistent. Entrapment is encouraging
someone to behave in a way that they would not otherwise behave. Mearly
affording somebody the opportunity to commit a crime is not entrapment. In
any case, private citizens cannot entrap: only law enforcement agencies.

There is more on this topic at:
http://www.robertgraham.com/pubs/network-intrusion-detection.html#11.10.1

Regards,
Robert Graham

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Drew Smith
Sent: Wednesday, March 01, 2000 10:24 AM
To: INCIDENTS () securityfocus com
Subject: Cracked; rootkit - entrapment question?

        Hey all,

        One of my clients had a cracker gain root on the webserver last night.

        The cracker installed what appears to be Linux Rootkit 4, and I'm
diligently removing all of the binaries as we speak - but I'm not really
willing to stop there.

        I'd like to create a honeypot of sorts; a chroot environment that looks
and feels like the machine, and that allows the cracker to do everything
he normally would want to from the shell.  I'd like to log everything to
another machine, and get the police in on it.

        My question is this:  how far can I go while remaining legal?  Is this
entrapment?  I really despise these kids - if you're going to hack my
machines, at least show some prowess at it!  They did, unfortunately,
wipe the utmp and wtmp entries, remove themselves from all the logs, etc
- so I don't really have too much to start from.

        The machine is running Redhat 3.0.3 (that's why they're my clients; I'm
replacing that machine with an RH6.1 machine, hardened and optimized)
with kernel 2.0.36.  I'm thinking that I should reinstate the logins
that the cracker added, chroot them to a look-alike filesystem, and
track every step he takes.

        Any experts have any comments?  Is this fully legal?  Should I talk to
the police now, or after I have the evidence?  Anyone have any tips on
removing the rootkit (non-obvious ones, I've got the rootkit sources and
some experience with it)?

        Anything's welcome,

        Cheers,
        - Drew.

Current thread:

Cracked; rootkit - entrapment question? Drew Smith (Mar 01)
- Re: Cracked; rootkit - entrapment question? Robert Graham (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ron Gula (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Spence (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Paul Flores (Mar 02)
  - getting to the point with DDoS thomas lakofski (Mar 02)
    - Re: getting to the point with DDoS Ryan Russell (Mar 05)
    - Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
  - E-mail attatchment xum mux (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
  - Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)

(Thread continues...)