Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: dbrumley () RTFM STANFORD EDU (David Brumley)
Date: Thu, 2 Mar 2000 14:48:05 -0800
An easy way to avoid some of these constraints (I think..though I'm not a lawyer) is to simply set up a rootable box. We've set up old redhat 5.1 machines with every server imaginable in the past as a honeypot. The box was connected to a very slow hub, along with one other completely secure (and hidden) system that simply did a tcpdump of all traffic going to the redhat box. On the redhat 5.1 box we put up every warning banner imaginable about traffic being monitored, no unauthorized users, etc on every service and just waited for something to happen (AFAIK, the intruder only needs to see the warning banner once, during initial penetration. If they then set up their own daemon after reading the warning banner, I don't think you need to put it up on their own daemon...at least that's my read). It's kinda like a sting, I guess.... cheers, david On Thu, 2 Mar 2000, 1Lt Rob Lee wrote:
Call the FBI SOONER rather than LATER. You probably should get the FBI on it before you do any steps to monitor the SUBJECT. There is a very thin line on what you can monitor. The system administrators exception on security monitoring is just to ensure they can protect their systems from hacking. As soon as you knowingly monitor a specific individual it is now a wiretap and you could be brought up on charges for doing so. Sorry, this is true even if on your own network. There are three types of network monitors that could be implemented if approved by the local Assistant US Attorney for your region for us by the FBI. 1. Consensual Monitor: This is a monitor that is limited to only being able to monitor on ports that are bannered. If your SUBJECT has not seen a banner you cannot monitor from that port or IP. You can only monitor on ports that do have banners for ANY IP incoming into that machine. You can only monitor the SUBJECTs IP on ANY port ONLY if you can show that the SUBJECT has seen the banner at least once. 2. TITLE 3 Wiretap: This is the most difficult monitor to obtain. Rarely happens. No one likes it because it is so hard to accomplish. It would take a minimum of two months for it to get through the legal process depending on the case. 3. Network Trap and Trace: This monitor only grabs the header information of each packet on the network. It does NOT gather any of the data portion. These are the ONLY legal methods of monitoring currently approved. And unfortunately, none of them can be done by you. My advice is to make a backup of the system before you cleaned it up. Show monetary damage. Time to clean it up. Any files transferred or passwords sniffed? Honestly, the best thing to do is to get in touch with the local FBI and have them tell you what to do. They are getting a lot better at criminal cases against hackers. Anything you do on your own could get you brought up on charges yourself. Be VERY careful. I would need to know more info on the rootkit to help you with that. There are so many types and it is hard to say what to do in each case. I typically recommend a fresh install and to copy over your data when that is done. There are too many ways to keep backdoors in a system that you could never find. Hope this helps you.... Rob Lee ____________________________________________________ Rob T. Lee, 1LT, USAF Chief, Intrusion and Monitoring Team Air Force Office of Special Investigations Email: leer2 () ogn af mil ____________________________________________________-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Drew Smith Sent: Wednesday, March 01, 2000 1:24 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Cracked; rootkit - entrapment question? Hey all, One of my clients had a cracker gain root on the webserver last night. The cracker installed what appears to be Linux Rootkit 4, and I'm diligently removing all of the binaries as we speak - but I'm not really willing to stop there. I'd like to create a honeypot of sorts; a chroot environment that looks and feels like the machine, and that allows the cracker to do everything he normally would want to from the shell. I'd like to log everything to another machine, and get the police in on it. My question is this: how far can I go while remaining legal? Is this entrapment? I really despise these kids - if you're going to hack my machines, at least show some prowess at it! They did, unfortunately, wipe the utmp and wtmp entries, remove themselves from all the logs, etc - so I don't really have too much to start from. The machine is running Redhat 3.0.3 (that's why they're my clients; I'm replacing that machine with an RH6.1 machine, hardened and optimized) with kernel 2.0.36. I'm thinking that I should reinstate the logins that the cracker added, chroot them to a look-alike filesystem, and track every step he takes. Any experts have any comments? Is this fully legal? Should I talk to the police now, or after I have the evidence? Anyone have any tips on removing the rootkit (non-obvious ones, I've got the rootkit sources and some experience with it)? Anything's welcome, Cheers, - Drew.
-- #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley () Stanford EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp () sunset Stanford EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# c:\winnt> secure_nt.exe Securing NT. Insert Linux boot disk to continue...... "I have opinions, my employer does not."
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Robert Graham (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ron Gula (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Spence (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul Flores (Mar 02)
- getting to the point with DDoS thomas lakofski (Mar 02)
- Re: getting to the point with DDoS Ryan Russell (Mar 05)
- Re: getting to the point with DDoS thomas lakofski (Mar 07)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)