More than 11,000 IP addresses of vulnerable servers were found on the computer of a UK teenager that has been accused of launching a DDoS attack responsible for knocking out IT systems at the Port of Houston in Texas, Southwark Crown Court was told on Wednesday.
Aaron Caffrey, whose father is a software engineer and mother is a lecturer in IT, allegedly used a well-known 'Unicode' exploit to take advantage of vulnerabilities in Microsoft's IIS Web server software. His defence counsel has argued that unpatched security holes in Windows enabled someone to use Caffrey's computer to launch the attack.
Southwark Crown Court heard on Wednesday that on Caffrey's computer, which was forensically examined by the Computer Crime Squad three months after the attack took place, there was a file called webservers.txt that listed the IP addresses of 11,608 servers vulnerable to the Unicode exploit.
Cedric d'Ablis, a security architect at Cable and Wireless, gave evidence to the court on Wednesday. He examined Caffrey's computer in October 2002 -- 13 months after the attack took place. D'Ablis told the court that there was no legitimate reason why someone would have a list of IP addresses on their system.
D'Ablis also said that there was no evidence of a third party having accessed Caffrey's computer remotely in order to initiate the DDos attack. "I would expect to find a tool that would allow someone to do this. There are a number of tools but commonly, it would be a Trojan or a Trojan horse. I did not find one," he said.
However, d'Ablis admitted that during his examination of Caffrey's computer, he only looked for open ports and active Trojans. During cross examination, he said that according to the server logs, Caffrey's machine had been "probed regularly" and admitted that it was possible the system could have been compromised, with the attack originating from a remote computer and made to look like it started from Caffrey's system. "Whenever something is installed on a computer, there are always traces of it somewhere on the system. But I did not look for these traces," he said.
The trial was almost adjourned for the day when a juror could not continue listening to evidence after suffering from a serious migraine. The judge, with agreement from the prosecution and defence counsels, agreed to continue with 11 jurors.
The case continues.
Talkback
11k IP-s... So what??? What kind of file(s)???...
My firewall log, for dial-up Internet access, on a single system, contains a rolling 12-month dataset (to cross-check for possible stealthed probes/attacks). This file has 16845+ log entries, with probably 9k of those being unique IP-s. I have a somewhat lesser number of entries in my IDS log for the same system. Easily, I've got 9k-10k IP addresses residing on this one system, many of these IP-s correlated with DNS names, NETBIOS names, ISP contact info, etc.
I'll wager that the vast majority of these IP-s were occupied, at the time of their log entries, by infected/compromised systems at the other end of the Internet... (But don't ask me how many of those IP-s may also have been unpatched for UNICODE exploits... I have no idea...)
Do these Iists make me a "criminal?" Particularly when these lists are an archival record of attempted tresspasses/penitrations against said system? All of these recorded events unsolicited and unwelcomed???...
WHERE ARE THE *ISP'S NETWORK LOGS* THAT SHOW THAT THE DEFENDANT'S COMPUTER/IP WERE BEING USED TO COMMIT/CONDUCT HOSTILE ACTS AGAINST OTHER SYSTEMS/IP-S??? *That* would be far more damning and convincing than 11k IP addresses sitting in a file...
What kind of investigative and forensic work was conducted??? By ZDUK's account, it all seems to have been very slip-shod, if not fundamentally ignorant...
who gives a fuck, as long as this kid wasnt using them it doesnt matter all power to you kid!
Yea who gives a F*** well i cant see why the courts are comming down on the Kid myself it is so painfully obvious the the real culprit is M$ you know thoses twats from Redmond the Redmon Mafia bunch of lying falsefying coniveing thieving lifeforms.
Pete,..
i will like you to email me transparent and non transperent ip address their port.
Uhm, actually I dont have a comment on this story specifically, but it has to do with a hacker.. I have NO IDEA where to go to turn in a hacker.. all I know is his yahoo screen name, and he has messaged me, my cousin, and my uncle with our screen names and our passwords to match.. he told me straight up that he uses ip addresses and ports and gets into puter's that he thinks has something big or something he wants.. I have the whole convorsation that we had saved and can send it to ya if ya need it... if anybody knows what to do about him let me know please. thanks.. cuz he has been in my puter he has got all rude with my uncle and there is something wrong with my computer now, so my only guess would be him.. thanks again.
guess what, i searched in google 'vulnerable ip list' to go hack someone and it leads here,you talk like he killed somebody, we know computer is just virtualization! hacking is free and knowledge!