Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: leer2 () OGN AF MIL (1Lt Rob Lee)
Date: Thu, 2 Mar 2000 08:56:40 -0500
Call the FBI SOONER rather than LATER. You probably should get the FBI on it before you do any steps to monitor the SUBJECT. There is a very thin line on what you can monitor. The system administrators exception on security monitoring is just to ensure they can protect their systems from hacking. As soon as you knowingly monitor a specific individual it is now a wiretap and you could be brought up on charges for doing so. Sorry, this is true even if on your own network. There are three types of network monitors that could be implemented if approved by the local Assistant US Attorney for your region for us by the FBI. 1. Consensual Monitor: This is a monitor that is limited to only being able to monitor on ports that are bannered. If your SUBJECT has not seen a banner you cannot monitor from that port or IP. You can only monitor on ports that do have banners for ANY IP incoming into that machine. You can only monitor the SUBJECTs IP on ANY port ONLY if you can show that the SUBJECT has seen the banner at least once. 2. TITLE 3 Wiretap: This is the most difficult monitor to obtain. Rarely happens. No one likes it because it is so hard to accomplish. It would take a minimum of two months for it to get through the legal process depending on the case. 3. Network Trap and Trace: This monitor only grabs the header information of each packet on the network. It does NOT gather any of the data portion. These are the ONLY legal methods of monitoring currently approved. And unfortunately, none of them can be done by you. My advice is to make a backup of the system before you cleaned it up. Show monetary damage. Time to clean it up. Any files transferred or passwords sniffed? Honestly, the best thing to do is to get in touch with the local FBI and have them tell you what to do. They are getting a lot better at criminal cases against hackers. Anything you do on your own could get you brought up on charges yourself. Be VERY careful. I would need to know more info on the rootkit to help you with that. There are so many types and it is hard to say what to do in each case. I typically recommend a fresh install and to copy over your data when that is done. There are too many ways to keep backdoors in a system that you could never find. Hope this helps you.... Rob Lee ____________________________________________________ Rob T. Lee, 1LT, USAF Chief, Intrusion and Monitoring Team Air Force Office of Special Investigations Email: leer2 () ogn af mil ____________________________________________________
-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Drew Smith Sent: Wednesday, March 01, 2000 1:24 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Cracked; rootkit - entrapment question? Hey all, One of my clients had a cracker gain root on the webserver last night. The cracker installed what appears to be Linux Rootkit 4, and I'm diligently removing all of the binaries as we speak - but I'm not really willing to stop there. I'd like to create a honeypot of sorts; a chroot environment that looks and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it. My question is this: how far can I go while remaining legal? Is this entrapment? I really despise these kids - if you're going to hack my machines, at least show some prowess at it! They did, unfortunately, wipe the utmp and wtmp entries, remove themselves from all the logs, etc - so I don't really have too much to start from. The machine is running Redhat 3.0.3 (that's why they're my clients; I'm replacing that machine with an RH6.1 machine, hardened and optimized) with kernel 2.0.36. I'm thinking that I should reinstate the logins that the cracker added, chroot them to a look-alike filesystem, and track every step he takes. Any experts have any comments? Is this fully legal? Should I talk to the police now, or after I have the evidence? Anyone have any tips on removing the rootkit (non-obvious ones, I've got the rootkit sources and some experience with it)? Anything's welcome, Cheers, - Drew.
Current thread:
- Cracked; rootkit - entrapment question? Drew Smith (Mar 01)
- Re: Cracked; rootkit - entrapment question? Robert Graham (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ron Gula (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Spence (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul Flores (Mar 02)
- getting to the point with DDoS thomas lakofski (Mar 02)
- Re: getting to the point with DDoS Ryan Russell (Mar 05)
- Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- <Possible follow-ups>
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)