NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-03

Subject: Re: Cracked; rootkit - entrapment question?
From: Lison, Nathan (Nathan.LisonFORTJAMESMAIL.COM)
Date: Thu Mar 02 2000 - 09:59:10 CST

Next message: Roy Wilson: "Re: Cracked; rootkit - entrapment question?"
Previous message: Kovacs Andrei: "Re: unknown port numbers"
Next in thread: Roy Wilson: "Re: Cracked; rootkit - entrapment question?"
Maybe reply: Lison, Nathan: "Re: Cracked; rootkit - entrapment question?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I really don't think the police would do anything about this incident
anyway. Thousands of hacks are preformed each day and the attackers rarely
get busted. If they didn't destroy your system I don't see what is wrong,
it is there way of showing you that you need to secure your system. Maybe
try a differant distro of linux.

Nate Lison
nathan.lisonfortjamesmail.com

-----Original Message-----
From: Drew Smith [mailto:drewPCTC.COM]
Sent: Wednesday, March 01, 2000 12:24 PM
To: INCIDENTSSECURITYFOCUS.COM
Subject: Cracked; rootkit - entrapment question?

Hey all,

One of my clients had a cracker gain root on the webserver last
night.

The cracker installed what appears to be Linux Rootkit 4, and I'm
diligently removing all of the binaries as we speak - but I'm not really
willing to stop there.

I'd like to create a honeypot of sorts; a chroot environment that
looks
and feels like the machine, and that allows the cracker to do everything
he normally would want to from the shell. I'd like to log everything to
another machine, and get the police in on it.

My question is this: how far can I go while remaining legal? Is
this
entrapment? I really despise these kids - if you're going to hack my
machines, at least show some prowess at it! They did, unfortunately,
wipe the utmp and wtmp entries, remove themselves from all the logs, etc
- so I don't really have too much to start from.

The machine is running Redhat 3.0.3 (that's why they're my clients;
I'm
replacing that machine with an RH6.1 machine, hardened and optimized)
with kernel 2.0.36. I'm thinking that I should reinstate the logins
that the cracker added, chroot them to a look-alike filesystem, and
track every step he takes.

Any experts have any comments? Is this fully legal? Should I talk
to
the police now, or after I have the evidence? Anyone have any tips on
removing the rootkit (non-obvious ones, I've got the rootkit sources and
some experience with it)?

Anything's welcome,

Cheers,
- Drew.

Next message: Roy Wilson: "Re: Cracked; rootkit - entrapment question?"
Previous message: Kovacs Andrei: "Re: unknown port numbers"
Next in thread: Roy Wilson: "Re: Cracked; rootkit - entrapment question?"
Maybe reply: Lison, Nathan: "Re: Cracked; rootkit - entrapment question?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]