Oh btw, would stuff like this be legal?

[Juridian]

Having an application that attacks back is about the same as attacking back yourself and is generally not looked upon very well. Also if someone does learn that your machine will do that then it is open to misuse by 'evil doers' and could be used to attack others...just a big can of worms that I don't think you really want to open.

The 'I'm watching you' message is interesting, but I kind of wonder about the legal ramifications of sending such a message. I think I would alter it, adding a bit of text to say that what they are doing is unauthorized and that if they continue the proper authorities will be notified. By simply saying you are watching them it could be argued that you didn't warn them off so it is tantamount to giving them permission to do what they are doing in a supervised manner.

If anyone likes I can pull up some links kind of related to this and banners used on systems.

[Tinks]

Entirely agreed on the virii front... But then I seriously hope that all my friends have listened to me nagging them very regularly to have latest updates of their anti virus so it would partially eb their own fault... (add to that that I also keep reminding them to have backups and I even have a small collection of full backups at home on tapes of various peoples machines and yup I specialise in Backup devices for the worlds 2nd or 3rd largest IT company... the dreaded HP)

Have to say it WOULD be nice tho if someone could manage to make a program like this fool proof... I mean how excellent would it be if you f-disked someone who was trying to get into your machines???? Phwarharharhar!

[Producer]

Originally posted here by Tinks
Someone told me about a software/program that you can install on your computer that when it DOES detect unauthorised access will send something back to the offending IP resultnig in the hard drive being wiped (I'm assuming we're probably talking some simple code running an f-disk on the offfending PC...)

Anyone heard of this and does it work and more importantly is it legal?

Tinks

"Strikeback" is a program used at GE medical in 98-99. It did Ping of Death and scanned ports. It was pretty infintile to be running at such a corporation, and the legal implications could be nasty. I think Information Weekly released an article about Strikeback, so they pulled it from the proxies they were using at the time.

"Honeypots" are used all the time. They are fake computers and that emualte a hacked system.

As far as Fdisking an offended PC, I have never seen an app like that (as you describe). I think its just urban legend.

[phishphreek]

As far as Fdisking an offended PC, I have never seen an app like that (as you describe). I think its just urban legend.

I agree. It would be pretty difficult to do because of so many different operating sytems, configurations, firewalls, and other means of protection. The system would have to be exploited which means unpatched/unprotected. What idiot would attack someone witout being protected themselves?! A zombie, maybe. If the system was patched, the "hack back" program would have to download a crap load of exploits for virtually all operating systems/services/versions. That could take up quite a bit of resources and would be redicuilous if someone just scanned you, or tried to connect to a network drive.

If such a tool existed, you would have def. of heard of it by now. Especially with all the security lists out there. It would have shown up in one place or another and spread like wildfire.

Your best bet is just to protect yourself and keep good backups. Not to mention, keep all sensitive/important data on removable drives and only mount those drives when you need access to that data.

[nihil]

Hi Tinks

If you zapped a foreign owned, and located computer I am sure that it would be legal, as English law is very poor at protecting anyone who is not resident in England or a British Citizen overseas.

As already pointed out, the "attacker" is most likely "owned" or "spoofed". This means that at worst they might be considered guilty of stupidity. If stupidity were a crime then "they" would certainly be in a majority, and we would be in jail.

As in "Eat more sh1t, three trillion flies can't be wrong"

I have not heard of such a program, so I suspect it might be an urban legend/myth?

It is hard to say what the legal position is, as English law is not up to date as regards computers. If a burglar breaks into your house and electrocutes himself on a faulty light fitting then YOU are liable, because your faulty light fitting is illegal, and was there first.

If someone breaks into your computer and runs fdisk on their box (a normal,legitimate, and legal program) then I would say that you are OK, because your computer has nothing illegal on it. What I am saying is that it would have to be a standard program.

I still think that you could do it with impunity, as the disk wiping would effectively destroy the evidence, and I don't see a skiddie going to the law. As already stated: take no prisoners

It would need a test case to get the definitive legal position?

Cheers

[Tinks]

LOL thanks guys pointed out some points that I had thought about but didn't quite know and was umming and Ahing... anyway as for recovering an f-disced hard drive... oh it CAN be done, I should know I work in data storage (and hence recovery when fools forget to do back ups of vital data... ) but it isn't cheap but it CAN be done (ie the police ahve a permanent account with Vogon.com in the UK to recover files from computers thought to belong to peadophiles...)

Anyway home time

Laters

T

[steve.milner]

Although this opens the risk of a DOS I use port sentry to detect a scan and then I use iptables MIRROR.

What this does is take a packet from the nic and swap the source and destination addresses and drop it back on the network.

The offending person will end up scanning/hacking their own box.

I don't think this is ilegal at all. The person is doing any damage to themself.

HTH
Steve

/edit

I've been asked how I did this - RH9 Instructions (very brief - I will write a full tut if required)

The changes to /etc/portsentry/portsentry.conf :
# ipchain support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
#
# iptables support for Linux
#KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

# sneaky 2 hour mirroring sinbin!
KILL_ROUTE="/sbin/sinbin $TARGET$ $PORT$"

# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
#
#


The script /sbin/sinbin :

if [ "$2" = "135" ]
then
date >> /var/log/scans_135.txt
echo $1 >> /var/log/scans_135.txt
else
if [ "$2" = "137" ]
then
date >> /var/log/scans_137.txt
echo $1 >> /var/log/scans_137.txt
else
if [ "$2" = "139" ]
then
date >> /var/log/scans_139.txt
echo $1 >> /var/log/scans_139.txt
else
MailMessage localhost portsentry@llocalhost root@localhost 'Scan Detected' $1:$2
fi
fi
fi
/sbin/iptables -I INPUT -s $1 -j MIRROR
sleep 2h && /sbin/iptables -D INPUT -s $1 -j MIRROR &


Hope this helps

Oh, BTW MailMessage is a perl mailer script I wrote (hacked someone elses actually)

[nihil]

Nice one Steve,

Aren't you worried that they might sue you for growing hairs on the palms of their hands and/or going blind?




Cheers

[CXGJarrod]

You might of been thinking of an article like this one:

http://dc.internet.com/news/article.php/2223811

U.S. Sen. Orrin Hatch (R.-Utah) suggested Tuesday that he might favor technology that can remotely destroy the computers of those who illegally download music from the Internet. Hatch, chairman of the Senate Judiciary Committee, made his comments during a hearing on peer-to-peer (P2P) networks.

[steve.milner]

Originally posted here by steve.milner
Although this opens the risk of a DOS I use port sentry to detect a scan and then I use iptables MIRROR.

What this does is take a packet from the nic and swap the source and destination addresses and drop it back on the network.

The offending person will end up scanning/hacking their own box.

I don't think this is ilegal at all. The person is doing any damage to themself.

HTH
Steve

/edit

I've been asked how I did this - RH9 Instructions (very brief - I will write a full tut if required)

The changes to /etc/portsentry/portsentry.conf :
# ipchain support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
#
# iptables support for Linux
#KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

# sneaky 2 hour mirroring sinbin!
KILL_ROUTE="/sbin/sinbin $TARGET$ $PORT$"

# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
#
#


The script /sbin/sinbin :

if [ "$2" = "135" ]
then
date >> /var/log/scans_135.txt
echo $1 >> /var/log/scans_135.txt
else
if [ "$2" = "137" ]
then
date >> /var/log/scans_137.txt
echo $1 >> /var/log/scans_137.txt
else
if [ "$2" = "139" ]
then
date >> /var/log/scans_139.txt
echo $1 >> /var/log/scans_139.txt
else
MailMessage localhost portsentry@llocalhost root@localhost 'Scan Detected' $1:$2
fi
fi
fi
/sbin/iptables -I INPUT -s $1 -j MIRROR
sleep 2h && /sbin/iptables -D INPUT -s $1 -j MIRROR &


Hope this helps

Oh, BTW MailMessage is a perl mailer script I wrote (hacked someone elses actually)

Sorry to dredge up this old history - but here is an example to us all to check out what updates we are applying.

Some time in the last few months the MIRROR target had been dropped by the netfilter team and my portsentry had been doing nothing!!!!! since /sbin/iptables -I INPUT -s $1 -j MIRROR errored...

I know the MIRROR target was experimental, and a bit risky but I enjoyed the smug sense of satisfaction that the skiddies were hacking their own box.

Serves me right for being a smartass - good job the server was set up correctly and not relying on portsentry for security, cause I would have been wide open for months.

I don't even know when I did the update that lost the functionality, but just after Xmas I know I demonstrated this to someone and was OK then

Steve