|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Cracked; rootkit - entrapment question?
From: Paul L Schmehl (pauls
UTDALLAS.EDU)Date: Thu Mar 02 2000 - 09:43:43 CST
- Next message: Lance Spitzner: "Re: Cracked; rootkit - entrapment question?"
- Previous message: Jon Lewis: "Re: auto-reporting to ISPs"
- Next in thread: Mike Fratto: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Lance Spitzner: "Re: Cracked; rootkit - entrapment question?"
- Maybe reply: Paul L Schmehl: "Re: Cracked; rootkit - entrapment question?"
- Reply: Mike Fratto: "Re: Cracked; rootkit - entrapment question?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
IANAL, but how can it be entrapment? He has to break in to the machine
before he gets tracked and logged. Even if you have a machine that's
grossly misconfigured and wide open to hacking, that doesn't justify people
hacking it.
I say set it up, and let the script kiddie indict himself.
--On 3/1/00, 10:23 AM -0800 Drew Smith <drewPCTC.COM> wrote:
> Hey all,
>
> One of my clients had a cracker gain root on the webserver last night.
>
> The cracker installed what appears to be Linux Rootkit 4, and I'm
> diligently removing all of the binaries as we speak - but I'm not really
> willing to stop there.
>
> I'd like to create a honeypot of sorts; a chroot environment that looks
> and feels like the machine, and that allows the cracker to do everything
> he normally would want to from the shell. I'd like to log everything to
> another machine, and get the police in on it.
>
> My question is this: how far can I go while remaining legal? Is this
> entrapment? I really despise these kids - if you're going to hack my
> machines, at least show some prowess at it! They did, unfortunately,
> wipe the utmp and wtmp entries, remove themselves from all the logs, etc
> - so I don't really have too much to start from.
>
> The machine is running Redhat 3.0.3 (that's why they're my clients; I'm
> replacing that machine with an RH6.1 machine, hardened and optimized)
> with kernel 2.0.36. I'm thinking that I should reinstate the logins
> that the cracker added, chroot them to a look-alike filesystem, and
> track every step he takes.
>
> Any experts have any comments? Is this fully legal? Should I talk to
> the police now, or after I have the evidence? Anyone have any tips on
> removing the rootkit (non-obvious ones, I've got the rootkit sources and
> some experience with it)?
>
> Anything's welcome,
>
> Cheers,
> - Drew.
Paul L. Schmehl, paulsutdallas.edu
Technical Support Services Manager
The University of Texas at Dallas
- Next message: Lance Spitzner: "Re: Cracked; rootkit - entrapment question?"
- Previous message: Jon Lewis: "Re: auto-reporting to ISPs"
- Next in thread: Mike Fratto: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Lance Spitzner: "Re: Cracked; rootkit - entrapment question?"
- Maybe reply: Paul L Schmehl: "Re: Cracked; rootkit - entrapment question?"
- Reply: Mike Fratto: "Re: Cracked; rootkit - entrapment question?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]