The Jail

The Jail

We never intended to use these tools to simulate a system in real time. We wanted to watch the cracker's keystrokes, to trace him, learn his techniques, and warn his victims. The best solution was to lure him to a sacrificial machine and tap the connection.

At first, I didn't have a spare machine handy, so I took the software route. This is not the easy way, and I don't recommend it.

I consulted the local Unix gurus about the security of a chroot environment. Their conclusion:

We constructed such a chroot "Jail" (or "roach motel") and rigged up logged connections to it through our firewall machine. Accounts berferd and guest were connected to the Jail through this arrangement.

Two logs were kept per session, one each for input and output. The logs were labeled with starting and ending times.

#       setupsucker login


login=`echo $CDEST | cut -f4 -d!`	# extract login from service name
home=`egrep "^$login:" $SUCKERROOT/etc/passwd | cut -d: -f6`

PATH=/v:/bsd43:/sv;     export PATH
HOME=$home;             export HOME
USER=$login;            export USER
SHELL=/v/sh;            export SHELL
unset CSOURCE CDEST	# hide these Datakit strings

#get the tty and pid to set up the fake utmp
tty=`/bin/who | /bin/grep $login | /usr/bin/cut -c15-17 | /bin/tail -1`
/usr/adm/uttools/telnetuseron /usr/spool/hacker/etc/utmp \
        $login $tty $$ 1>/dev/null 2>/dev/null

chown $login /usr/spool/hacker/dev/tty$tty 1>/dev/null 2>/dev/null
chmod 622 /usr/spool/hacker/dev/tty$tty 1>/dev/null 2>/dev/null

/etc/chroot /usr/spool/hacker /v/su -c "$login" /v/sh -c "cd $HOME;
        exec /v/sh /etc/profile"
/usr/adm/uttools/telnetuseroff /usr/spool/hacker/etc/utmp $tty \
        >/dev/null 2>/dev/null

The setupsucker shell script

The setupsucker shell script emulates login, and it is quite tricky. We had to make the environment variables look reasonable and attempted to maintain the Jail's own special utmp entries for the residents. We had to be careful to keep errors in the setup scripts from the hacker's eyes.

The Jail was hard to set up. We had to get the access times in /dev right and update utmp for Jail users. Several raw disk files were too dangerous to leave around. We removed ps, who, w, netstat, and other revealing programs. The login shell script had to simulate login in several ways.

Diana D'Angelo set up a believable file system (this is very good system administration practice and loaded a variety of silly and tempting files. Paul Glick got the utmp stuff working.

A little later Berferd discovered the Jail and rattled around in it. He looked for a number of programs that we later learned contained his favorite security holes. To us the Jail was not very convincing, but Berferd seemed to shrug it off as part of the strangeness of our gateway.