OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Cracked; rootkit - entrapment question?
From: Simple Nomad (thegnomeNMRC.ORG)
Date: Thu Mar 02 2000 - 09:53:32 CST

On Wed, 1 Mar 2000, Drew Smith wrote:

> Hey all,
>
> One of my clients had a cracker gain root on the webserver last night.
>
> The cracker installed what appears to be Linux Rootkit 4, and I'm
> diligently removing all of the binaries as we speak - but I'm not really
> willing to stop there.
>
> I'd like to create a honeypot of sorts; a chroot environment that looks
> and feels like the machine, and that allows the cracker to do everything
> he normally would want to from the shell. I'd like to log everything to
> another machine, and get the police in on it.
>
> My question is this: how far can I go while remaining legal? Is this
> entrapment? I really despise these kids - if you're going to hack my
> machines, at least show some prowess at it! They did, unfortunately,
> wipe the utmp and wtmp entries, remove themselves from all the logs, etc
> - so I don't really have too much to start from.
>
> The machine is running Redhat 3.0.3 (that's why they're my clients; I'm
> replacing that machine with an RH6.1 machine, hardened and optimized)
> with kernel 2.0.36. I'm thinking that I should reinstate the logins
> that the cracker added, chroot them to a look-alike filesystem, and
> track every step he takes.
>
> Any experts have any comments? Is this fully legal? Should I talk to
> the police now, or after I have the evidence? Anyone have any tips on
> removing the rootkit (non-obvious ones, I've got the rootkit sources and
> some experience with it)?

As a former Fortune 500 security administrator, whenever we would get a
request for a honeypot, we'd shoot it down. There was always something
else that needed attention, and you could get more "bang for your buck" by
spending time on other things. This was besides the possible legal issues.

If you reinstate the logins that the cracker added, you have essentially
said 1) further access is invited, thereby giving the cracker's attorneys
some excellent reasons to say they were welcomed, and 2) the fact that you
reinstate them might give reason to suggest that the first intrusion was
welcomed. I am not an attorney but I certainly would consider those
points. Attorneys at former employers pointed these things out to me.

All you can do is hope that you can gain enough information from the
honeypot to validate any existing forensic data you have collected. The
honeypot data itself cannot be considered actual intrusion data. And if
they break out of your chrooted environment and rm you, forget it. You
invited them in, and a good defense attorney would use that against you.

Normal crime prevention techniques for car theft, for example, state that
you should try and make your car less vulnerable than someone else's car -
don't leave the keys in, lock the doors, use a car alarm, etc. And
certainly leave the investigations and sting operations up to professional
law enforcement. However due to the ownership mentality that is probably
due to the immediacy and customizability of the personal computer, sys
admins have a sense of ownership that suggests they can 1) conduct their
own investigations, 2) successfully maintain a safe legal standpoint
during their investigation, and 3) the police/DA will happily assume all
evidence presented has not been tainted and is legally admissible in
court.

If you are going to pursue it, involve the police before you do anything,
but expect them to not participate (at least to your level of
satisfaction) due to case workload, lack of computer expertise, low
monetary loss, and (as it sounds in your case) lack of existing hard
evidence pointing to the intruder.

- Simple Nomad - No rest for the Wicca'd -
- thegnomenmrc.org - www.nmrc.org -
- thegnomerazor.bindview.com - razor.bindview.com -