Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: APendleton () VGSINC COM (Adam Pendleton)
Date: Thu, 2 Mar 2000 14:14:56 -0500
Just a note on this.... There's a section in Cheswick-Bellovin that addresses this very question. They cite two cases that could lead to lawsuits against people using "honeypot" systems. It could be viewed as "knowingly harboring a wild and dangerous beast." Cited cases are "Cowden v. Bear Country, Inc., 382 F. Supp. 1321 (D.S.D. 1974)" and "Rylands v. Fletcher, [1865] 3 H.&C. 774, 159 Eng. Rep. 737". While I don't disagree with honeypot systems, and allegedly used a few myself, check with your lawyers first. Adam H. Pendleton Security Engineer VGS, Inc. Fairfax, Virginia Si hoc legere scis nimium eruditionis habes. -----Original Message----- From: Paul L Schmehl [mailto:pauls () UTDALLAS EDU] Sent: Thursday, March 02, 2000 10:44 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Cracked; rootkit - entrapment question? IANAL, but how can it be entrapment? He has to break in to the machine before he gets tracked and logged. Even if you have a machine that's grossly misconfigured and wide open to hacking, that doesn't justify people hacking it. I say set it up, and let the script kiddie indict himself. --On 3/1/00, 10:23 AM -0800 Drew Smith <drew () PCTC COM> wrote:
Hey all, One of my clients had a cracker gain root on the webserver last
night.
The cracker installed what appears to be Linux Rootkit 4, and I'm diligently removing all of the binaries as we speak - but I'm not really willing to stop there. I'd like to create a honeypot of sorts; a chroot environment that
looks
and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it. My question is this: how far can I go while remaining legal? Is
this
entrapment? I really despise these kids - if you're going to hack my machines, at least show some prowess at it! They did, unfortunately, wipe the utmp and wtmp entries, remove themselves from all the logs, etc - so I don't really have too much to start from. The machine is running Redhat 3.0.3 (that's why they're my clients;
I'm
replacing that machine with an RH6.1 machine, hardened and optimized) with kernel 2.0.36. I'm thinking that I should reinstate the logins that the cracker added, chroot them to a look-alike filesystem, and track every step he takes. Any experts have any comments? Is this fully legal? Should I talk
to
the police now, or after I have the evidence? Anyone have any tips on removing the rootkit (non-obvious ones, I've got the rootkit sources and some experience with it)? Anything's welcome, Cheers, - Drew.
Paul L. Schmehl, pauls () utdallas edu Technical Support Services Manager The University of Texas at Dallas
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)