Honeypots: Re: what to do with a script kiddie

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Honeypots mailing list archives

Re: what to do with a script kiddie

From: Damian Menscher <menscher () uiuc edu>
Date: Sat, 4 Jun 2005 12:23:32 -0500 (CDT)

On Sat, 4 Jun 2005, carnack wrote:

I was operating my honeynet successfully over some days. I "catched" anintruder and monitored him closely for about 11 days. He was not veryskilled, the term "script kiddy" fits the bill. I got some IPs of hiscopromised attack hosts and a lot of his passwords, for example his CSERVICEIRC password. I wonder what to do with that information now, as the intentionof my study was my diploma thesis. Should I "snatch" his IRC channels andexpose him? What have you done after getting such information? I am reallyinterested in your experiences.

I had a similar experience, where I monitored an intruder for about twoweeks. In my case, he was using my machine[1] to jump to other boxes,so I was able to capture plenty of information on passwords, DoStactics, etc. I notified several sites that they'd been compromised(some didn't believe me, which was interesting). After tracing theintruder back to a dialup account in Australia, and chatting with himonline (which provoked a DoS attack) I offered the information to theFBI. They didn't care, even after I pointed out that one of thewebsites he'd broken into may have contained credit card numbers. It'sjust not worth their time to track down kids in foreign countries.

One caution: it may be amusing to change his passwords so he losesaccess to his compromised machines, but doing so may actually be illegal(not that anyone would prosecute). So informing the admins is probablythe best thing to do. Just be sure to do it using an outside channel(he might be reading their email).

[1] This wasn't really "my" machine, and it wasn't set up as a honeypot.It was a user's home machine that had been compromised, and could affordthe downtime of not being reinstalled right away. Since it was on arelatively slow connection, it was only used as a jumping point, not forscanning, so it didn't pose a threat to the outside world to leave itonline.


Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-

By Date By Thread

Current thread:

what to do with a script kiddie carnack (Jun 04)
- Re: what to do with a script kiddie David Jiménez Domínguez (Jun 04)
  - Re: what to do with a script kiddie carnack (Jun 04)
    - Re: what to do with a script kiddie Sebastian Garcia (Jun 06)
- Re: what to do with a script kiddie Damian Menscher (Jun 04)
- <Possible follow-ups>
- RE: what to do with a script kiddie Stejerean, Cosmin (Jun 04)
  - Re: what to do with a script kiddie ilaiy (Jun 04)
  - Re: what to do with a script kiddie Lance Spitzner (Jun 04)
    - Re: what to do with a script kiddie MrDemeanour (Jun 05)
    - Re: what to do with a script kiddie Dave Dittrich (Jun 06)