On Mon, 25 Mar 2002, Skip Carter wrote: > > - sometimes checking failed script-kiddies can be entertaining if time > > permits to look around for any funny stuff > > I had one incident that I investigated for a client recently. > > It was the usual: gain entry, install rootkit, install password > scanner, etc. Except he did it in the wrong order, so that his > password scanner caught his own connection back to his rootkit > archive; so when I started my investigation I was able to log in > to his archive and pick up his entire stash of tools. I can't tell you how many times I've seen that over the years, e.g.: http://staff.washington.edu/dittrich/talks/security/case1/hacksniff.txt This kind of thing is, according to an Assistant US Attorney, "a slam dunk" violation of the Wiretap statute. With a little correlation of events via timestamps on files and other logins in the sniffer file, you can show a direct link between an intruder, the sniffer, and the "fruits of crime" (the sniffed passwords). If you can get the owner of the site to save a copy for law enforcement (rather than popping in yourself and copying files), there is corroborating evidence from an independant source. Then again, I've also seen the following: /* * dontsniff2.c by XXXXXXXX (today: 13 Nov 1998) * Regards to both XXXXXX and XXXXXXX ;) * Paper: * T.Ptacek, T.Newsham "Insertion, Evasion, and Denial of Service: Eluding * Network Intrusion Detection," Secure Networks, Inc. January, 1998 * Greetings to XXX@!#$ * Description: * this daemon add little protection from some kind of sniffers and IDS * How it work (in default mode: -fffdFD): * 1. send fake data packets with random garbage on every ACK packet - * - sniffer log fake data. * 2. send fake FIN packets on every SYN packet - * - sniffer "think" connection closed and stop logging. * "fake" mean - it good packets for sniffer but really ignored by most * of computer systems in internet cause they have invalid sequence number. */ Moral of the story: don't expect to be lucky all the time, and trust packets found on the network, not files found on a compromised host. -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 08:24:16 PST