|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Cracked; rootkit - entrapment question?
From: Adam Pendleton (APendleton
VGSINC.COM)Date: Thu Mar 02 2000 - 13:14:56 CST
- Next message: Jon Lewis: "Re: Cracked; rootkit - entrapment question?"
- Previous message: Russell Fulton: "Re: FW: PPark (was: Win 95 Question)"
- Next in thread: Jon Lewis: "Re: Cracked; rootkit - entrapment question?"
- Maybe reply: Adam Pendleton: "Re: Cracked; rootkit - entrapment question?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Just a note on this....
There's a section in Cheswick-Bellovin that addresses this very question.
They cite two cases that could lead to lawsuits against people using
"honeypot" systems. It could be viewed as "knowingly harboring a wild and
dangerous beast." Cited cases are "Cowden v. Bear Country, Inc., 382 F.
Supp. 1321 (D.S.D. 1974)" and "Rylands v. Fletcher, [1865] 3 H.&C. 774, 159
Eng. Rep. 737".
While I don't disagree with honeypot systems, and allegedly used a few
myself, check with your lawyers first.
Adam H. Pendleton
Security Engineer
VGS, Inc.
Fairfax, Virginia
Si hoc legere scis nimium eruditionis habes.
-----Original Message-----
From: Paul L Schmehl [mailto:paulsUTDALLAS.EDU]
Sent: Thursday, March 02, 2000 10:44 AM
To: INCIDENTSSECURITYFOCUS.COM
Subject: Re: Cracked; rootkit - entrapment question?
IANAL, but how can it be entrapment? He has to break in to the machine
before he gets tracked and logged. Even if you have a machine that's
grossly misconfigured and wide open to hacking, that doesn't justify people
hacking it.
I say set it up, and let the script kiddie indict himself.
--On 3/1/00, 10:23 AM -0800 Drew Smith <drewPCTC.COM> wrote:
> Hey all,
>
> One of my clients had a cracker gain root on the webserver last
night.
>
> The cracker installed what appears to be Linux Rootkit 4, and I'm
> diligently removing all of the binaries as we speak - but I'm not really
> willing to stop there.
>
> I'd like to create a honeypot of sorts; a chroot environment that
looks
> and feels like the machine, and that allows the cracker to do everything
> he normally would want to from the shell. I'd like to log everything to
> another machine, and get the police in on it.
>
> My question is this: how far can I go while remaining legal? Is
this
> entrapment? I really despise these kids - if you're going to hack my
> machines, at least show some prowess at it! They did, unfortunately,
> wipe the utmp and wtmp entries, remove themselves from all the logs, etc
> - so I don't really have too much to start from.
>
> The machine is running Redhat 3.0.3 (that's why they're my clients;
I'm
> replacing that machine with an RH6.1 machine, hardened and optimized)
> with kernel 2.0.36. I'm thinking that I should reinstate the logins
> that the cracker added, chroot them to a look-alike filesystem, and
> track every step he takes.
>
> Any experts have any comments? Is this fully legal? Should I talk
to
> the police now, or after I have the evidence? Anyone have any tips on
> removing the rootkit (non-obvious ones, I've got the rootkit sources and
> some experience with it)?
>
> Anything's welcome,
>
> Cheers,
> - Drew.
Paul L. Schmehl, paulsutdallas.edu
Technical Support Services Manager
The University of Texas at Dallas
- Next message: Jon Lewis: "Re: Cracked; rootkit - entrapment question?"
- Previous message: Russell Fulton: "Re: FW: PPark (was: Win 95 Question)"
- Next in thread: Jon Lewis: "Re: Cracked; rootkit - entrapment question?"
- Maybe reply: Adam Pendleton: "Re: Cracked; rootkit - entrapment question?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]