Re: Cracked; rootkit - entrapment question?

[dbrumley () RTFM STANFORD EDU (David Brumley)]

An easy way to avoid some of these constraints (I think..though I'm not a
lawyer) is to simply set up a rootable box.  We've set up old redhat 5.1
machines with every server imaginable in the past as a honeypot.  The box
was connected to a very slow hub, along with one other completely secure
(and hidden) system that simply did a tcpdump of all traffic going to the
redhat box. On the redhat 5.1 box we put up every warning banner
imaginable about traffic being monitored, no unauthorized users, etc on
every service and just waited for something to happen (AFAIK, the intruder
only needs to see the warning banner once, during initial penetration. If
they then set up their own daemon after reading the warning banner, I
don't think you need to put it up on their own daemon...at least that's my
read).

It's kinda like a sting, I guess....

cheers,
david

On Thu, 2 Mar 2000, 1Lt Rob Lee wrote:

> Call the FBI SOONER rather than LATER.
>
> You probably should get the FBI on it before you do any steps to monitor the
> SUBJECT.  There is a very thin line on what you can monitor.  The system
> administrators exception on security monitoring is just to ensure they can
> protect their systems from hacking.  As soon as you knowingly monitor a
> specific individual it is now a wiretap and you could be brought up on
> charges for doing so.  Sorry, this is true even if on your own network.
>
> There are three types of network monitors that could be implemented  if
> approved by the local Assistant US Attorney for your region for us by the
> FBI.
>
> 1.  Consensual Monitor:  This is a monitor that is limited to only being
> able to monitor on ports that are bannered.  If your SUBJECT has not seen a
> banner you cannot monitor from that port or IP.  You can only monitor on
> ports that do have banners for ANY IP incoming into that machine.  You can
> only monitor the SUBJECTs IP on ANY port ONLY if you can show that the
> SUBJECT has seen the banner at least once.
>
> 2.  TITLE 3 Wiretap:  This is the most difficult monitor to obtain.  Rarely
> happens.  No one likes it because it is so hard to accomplish.  It would
> take a minimum of two months for it to get through the legal process
> depending on the case.
>
> 3.  Network Trap and Trace:  This monitor only grabs the header information
> of each packet on the network.  It does NOT gather any of the data portion.
>
> These are the ONLY legal methods of monitoring currently approved.  And
> unfortunately, none of them can be done by you.
>
> My advice is to make a backup of the system before you cleaned it up.  Show
> monetary damage.  Time to clean it up.  Any files transferred or passwords
> sniffed?  Honestly, the best thing to do is to get in touch with the local
> FBI and have them tell you what to do.  They are getting a lot better at
> criminal cases against hackers.
>
> Anything you do on your own could get you brought up on charges yourself.
> Be VERY careful.
>
> I would need to know more info on the rootkit to help you with that.  There
> are so many types and it is hard to say what to do in each case.  I
> typically recommend a fresh install and to copy over your data when that is
> done.  There are too many ways to keep backdoors in a system that you could
> never find.
>
> Hope this helps you....
>
> Rob Lee
>
> ____________________________________________________
> Rob T. Lee, 1LT, USAF
> Chief, Intrusion and Monitoring Team
> Air Force Office of Special Investigations
> Email:           leer2 () ogn af mil
> ____________________________________________________
>
>
> > -----Original Message-----
> > From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> > Behalf Of Drew Smith
> > Sent: Wednesday, March 01, 2000 1:24 PM
> > To: INCIDENTS () SECURITYFOCUS COM
> > Subject: Cracked; rootkit - entrapment question?
> >
> >
> >     Hey all,
> >
> >     One of my clients had a cracker gain root on the webserver
> > last night.
> >
> >     The cracker installed what appears to be Linux Rootkit 4, and I'm
> > diligently removing all of the binaries as we speak - but I'm not really
> > willing to stop there.
> >
> >     I'd like to create a honeypot of sorts; a chroot
> > environment that looks
> > and feels like the machine, and that allows the cracker to do everything
> > he normally would want to from the shell.  I'd like to log everything to
> > another machine, and get the police in on it.
> >
> >     My question is this:  how far can I go while remaining
> > legal?  Is this
> > entrapment?  I really despise these kids - if you're going to hack my
> > machines, at least show some prowess at it!  They did, unfortunately,
> > wipe the utmp and wtmp entries, remove themselves from all the logs, etc
> > - so I don't really have too much to start from.
> >
> >     The machine is running Redhat 3.0.3 (that's why they're my
> > clients; I'm
> > replacing that machine with an RH6.1 machine, hardened and optimized)
> > with kernel 2.0.36.  I'm thinking that I should reinstate the logins
> > that the cracker added, chroot them to a look-alike filesystem, and
> > track every step he takes.
> >
> >     Any experts have any comments?  Is this fully legal?
> > Should I talk to
> > the police now, or after I have the evidence?  Anyone have any tips on
> > removing the rootkit (non-obvious ones, I've got the rootkit sources and
> > some experience with it)?
> >
> >     Anything's welcome,
> >
> >     Cheers,
> >     - Drew.

--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."