IP '195.182.77.139' in range 'office of the president of the republic of lithuania' has been blocked on 'Sat Nov 05 05:35:40 EST 2005' for torrent'
Code: Select all
[16/Jul/2005 06:48:46] "Ids" action = 'deny', raddr = '82.54.68.248', msg = 'BACKDOOR trojan active millenium', url = 'http://www.whitehats.com/info/IDS82', direc = 'in', class = 'successful-user', priority = highWTF? So the guy was FBI, was busted in 2000, and was still trying to break into my PC in July of this year?FBI Computer Expert Accused of Hacking
Henry K. Lee, Chronicle Staff Writer
Friday, March 24, 2000
Max Ray Butler seemed to be at the top of his game. For two years, the computer expert was a confidential source for an elite FBI computer crime squad, helping to ferret out scofflaws on the Internet.
Butler, also known as Max Vision, was also a self-described ``ethical hacker'' from the Silicon Valley who boasted that he could test the security of any computer system by penetrating it.
But Butler's cyber activity went too far, federal authorities say.
****SNIP****
In 1997, Butler started a company known as Max Vision in Mountain View, specializing in ``penetration testing'' and ``ethical hacking'' procedures in which he would simulate for clients how a hacker would penetrate their computer systems, according to the company Web site.
``Our client penetration rate is currently 100 percent,'' the site said, with recent clients including a large consortium of telecommunications companies, a major motion picture company and an e-commerce online auction service.
By 1998, Butler was living with Winters in a one-story San Jose apartment, where the couple started up their own Web-design company, Kimi Networks, records show. Reached by telephone yesterday, Winters hung up on a Chronicle reporter.
It was also from that apartment, according to the FBI, that Butler hacked into computers by using a computer software vulnerability known as a buffer overflow, which sends commands into a system that ordinarily would not be allowed.
Butler also allegedly invaded computers used by the Lawrence Berkeley National Laboratory. Vern Paxson, a computer scientist at the lab, noticed an online intruder conducting unauthorized scans of laboratory and UC Berkeley computers in May 1998 and used a monitoring device that later helped identify the source of the intrusions.
!Looking through the list, there are 33 different originating IP addresses - the one I posted was just the one I picked out to post.pookie wrote:He isn't trying to break in. Your security device is pointing to an old web site. He used to write IDS signatures and maintain a online security database before he get sent up. The device is pointing to his old informational web pages, which haven't been active in years.
The ip listed, 82.54.68.248, is the blocked ip. Its an italian dial-up address. Probably, just some kids playing around.
On the other hand, how many |33t H4XX0rZ are interested in what you have on your computer?R00k wrote:You should use this in conjunction with the router.
I have a router, but all this stuff is getting blocked by my firewall, so it's getting past the router.
Routers aren't nearly as good at stopping intrusions as a firewall - unless you have a nice expensive one by Cisco or the like. They mainly just sort-of hide your PC, but most don't do any active blocking or packet filtering.
The site is gone now, but was a very legit computer security site in 1999. The url is just a reference for your information. It is in the attack signature database, when triggered it prints the url as an fyi. Here is an example ruleset for an Network Intrusion Detection System (NIDS);
Are all these viruses known to originate from that site or something? How does it determine the URL to reference?
Some of these are false positives, some of them kids, but most are scanning bots. They scan machines in huge ip blocks pseudo-randomly usually looking for one open port. If the port reports back open, the bot launches an attack. Old attacks work because there will always be some machines running old unpatched software. Though these would be very long in the tooth.edit: And all the IPs are from different locations, and on different providers. Just a few at random:
It's not like I was getting DDOS'd because there isn't a heavy enough volume of hits for that.
It looks like a bunch of script kiddies trying to hit my IP (among many others I'm sure) with these trojans - although I did notice two that look like IRC servers. But were all these trojans created by that guy's company or something?
the firewall i'm using is on my OpenBSD web-proxy machine.seremtan wrote:what firewall is this?
pookie wrote:The site is gone now, but was a very legit computer security site in 1999. The url is just a reference for your information. It is in the attack signature database, when triggered it prints the url as an fyi. Here is an example ruleset for an Network Intrusion Detection System (NIDS);
Are all these viruses known to originate from that site or something? How does it determine the URL to reference?
alert tcp $EXTERNAL_NET any
established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-05
72; classtype:shellcode-detect; sid:1324; rev:6;)
Basically what this says, is if the NIDS sees an external host attempt to connect to port 22 to any host on my network and sees a "/bin/sh" in the re-assembled stream, it should flag the traffic and
reference bugtraq id 2347 (among others). That is this exploit;
http://www.securityfocus.com/bid/2347
which I found by typing 2347 in the securityfocus search bar.
Whitehats is just an old informational site, which makes me think your firewall has an old, highly forked version of gnu gpl'ed software running on it. The Whitehats database was called arachnids and was referenced by snort and the dragon sensors. The latest reference to it I could find was one from 2000, asking if anyone had a copy of it.
http://archives.neohapsis.com/archives/ ... /0256.html
No one uses it anymore, they reference to bugtraq, Common Vulnerabilities and Exposures (CVE), or CERT, often all three.
Some of these are false positives, some of them kids, but most are scanning bots. They scan machines in huge ip blocks pseudo-randomly usually looking for one open port. If the port reports back open, the bot launches an attack. Old attacks work because there will always be some machines running old unpatched software. Though these would be very long in the tooth.edit: And all the IPs are from different locations, and on different providers. Just a few at random:
It's not like I was getting DDOS'd because there isn't a heavy enough volume of hits for that.
It looks like a bunch of script kiddies trying to hit my IP (among many others I'm sure) with these trojans - although I did notice two that look like IRC servers. But were all these trojans created by that guy's company or something?
These bots are common and in fact, if you look at the work the honeynet project has performed;
http://www.honeynet.org/
you will see that that most unpatched hosts last 5- 10 minutes on the internet. BTW, you will never see a url in an attack report only the ip, because performing dns lookups during a DDoS would close down your connection as well.
EDIT, I forgot to mention the most common means of controlling botnets is via irc. So don't be surprised that someone's irc server was compromised.
