OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: How to Track a hacker
From: J C Lawrence (clawKANGA.NU)
Date: Mon Nov 06 2000 - 22:26:56 CST

On Mon, 6 Nov 2000 13:34:42 -0800
Mike Parkin <mparkinCISCO.COM> wrote:

> This is a great precaution before a crack, but won't help as much
> afterward. If you're truly paranoid about syslogs, you can send
> your system logs to a syslog server on your LAN and actually
> record them with a completely separate machine running snort.
> Keep the snort box hidden from all the other boxen (no entries in
> /etc/hosts, etc) and you can use it o monitor suspicious activity.

Correctly handled NIDS systems won't have an IP and will fail to
reply to ARP/RARP queries. They need to be *entirely* invisible to
the local 'net at the packet and ethernet levels.

Yes, this is actually fairly standard practice. Network Flight
Recorder's NIDS collectors fit this description for instance.

> Again, useful, but not exceptionally so. If the attacker is any
> good, the IP you track him back to is NOT where he's based.
> Chances are it's another compromised account somewhere.

Most of the ones I've played with are bouncing thru a misconfigured
SOCKS proxy or other packet forwarding firewall. There are scores
of them out there. Nice little unmonitored packet header rewriters
that can be daisy chained ad infinitum.

> You may be able to help out whoever it is they compromised, but it
> seems that most ISP's respond with "That's not our problem!" if
> you tell them one of their users has been rooted.

Given a world of umpty million protectionless windows boxen and
uneducated litigious users, can you blame them?

> If you want to save the data, take the machine off the Net, save
> your data, rebuild, patch, and put it back up. The attacker will
> know in short order they've been found. If you want to keep
> monitoring them, forget the data and use known-good binaries from
> your Jump-kit floppy or CD. Alternately, use the aforementioned
> snort box to monitor all traffic in and out of the afflicted box.

Rather cutely, in the LKM I previously described when a new binary
for one of the compromised binaries was placed on the system, it
actually replaced the backed copy of the original binary, leaving
the compromised binary in place. The result was that the MD5Sum on
the new binary returned the correct values (it was reading the file
I put there) but when actually executed instead it ran the
compromised tool.

Cute. 

--
J C Lawrence                                 Home: clawkanga.nu
---------(*)                               Other: coderkanga.nu
http://www.kanga.nu/~claw/        Keys etc: finger clawkanga.nu
--=| A man is as sane as he is dangerous to his environment |=--