View Poll Results: Which is the best OS ?
- 15. You may not vote on this poll
May 22nd, 2002 03:49 AM
Crossing the line or acceptable notification?
Ok... I was wondering what the general opinion is here on "notifying" an admin that someone might be using their box to hack (or, in-turn, notifying the kiddie you're "watching"). I know other people have done it and I know that they have suffered some fallout... but either I'm getting old and grumpy or, well... *shrug*
What I am thinking about is an IDS system that, when triggered, connects back to the source IP and sends it a SMB and/or syslog message to (hopefully) let the admins know that something odd is going on... of course, it would have to be somewhat smart in order to try to avoid nasty things like spoofing (like waiting for the TCP handshake to complete before it sends an alert - which means it wouldn't trigger for things like a SYN scan, of course).
So, said script kiddie connects to my box and tries to enumerate the web/ftp/whatever server or honeypot I am running... my box tries to connect back to it and talks to its SMB server, sending a message to the screen or to the syslog server, sending it a log message...
Just wondering what people's opinions would be on something like this these days... or if someone could add to this and improve upon the idea.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
May 22nd, 2002 07:35 PM
You should try PortSentry. They have countermeasures you can enable to do just that. But IMHO, it's generally a bad idea. The reason that it's a bad idea is that you can get yourself in a DoS failure if they realize you have countermeasures implemented. Simply put they (the countermeasures) Can be used against you.
edit - P.S. I just contact their ISP.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
May 23rd, 2002 05:08 PM
Not a bad idea - may need some tweaking, though. Better than my idea -
When I was in college, the UNIX system was hacked and became a source for a guy to perform leap-frog attacks against sites in Europe.
My UNIX admin class shifted from admin to forensics and the class got a whole lot more interesting. Our system had been set up as an IRC server and a POP3 server. The intruder had also gained access to [i]numerous[\i] logons and passwords, so was then able to launch attacks from our system, masking himself.
The local division of criminal investigation had just set up the "cyber-crimes" unit and they came in to enlist our help. (LOL) Of course the class found more evidence and was able to track the guy back to Holland. We even got a picture of him off of his personal web site!
The class had been broken down into teams to deal with the attack. I lead the "CAT" (counter-attack team) which was originally developed to catch the intruder on the system and then gather as much info as possible to use in prosecution. I actually got permission from the school admin to launch a counter-attack and attempt to hack the intruder's system to shut him down. Unfortunately, DCI and the FBI said that was illegal to do even if the guy was intruding, we couldn't even attempt to run a remote shut down on him.
I think Korp's edit may hold the key. Document what you can and then notify the ISP or admin directly and send a copy of your documentation. I have had some success with ISPs in sending documentation and getting specific recurring attacks stopped from their users.
Edit - but personally I have a hard time understanding why I have to shut down a compromised machine rather than forcibly stop the attack by counter-attacking.
May 23rd, 2002 05:24 PM
Yeah, what happens when they have the same countermesures in place. Your two boxes would end up DOS'ing eachother.
Just make sure you watch what you are doing. If you get caught hacking their system, its just as bad, and I have seen the government run tests where they will do something like portscan a machine, and see if the machine trys to retaliate. It was always done on other government computers, but a few people have lost their jobs over it. Its better to just have a message automatically sent to the machines admin, or the isp.
\"Ignorance is bliss....
but only for your enemy\"