what firewall is this?

FBI Computer Expert Accused of Hacking

Henry K. Lee, Chronicle Staff Writer

Friday, March 24, 2000

Max Ray Butler seemed to be at the top of his game. For two years, the computer expert was a confidential source for an elite FBI computer crime squad, helping to ferret out scofflaws on the Internet.

Butler, also known as Max Vision, was also a self-described ``ethical hacker'' from the Silicon Valley who boasted that he could test the security of any computer system by penetrating it.

But Butler's cyber activity went too far, federal authorities say.

****SNIP****

In 1997, Butler started a company known as Max Vision in Mountain View, specializing in ``penetration testing'' and ``ethical hacking'' procedures in which he would simulate for clients how a hacker would penetrate their computer systems, according to the company Web site.

``Our client penetration rate is currently 100 percent,'' the site said, with recent clients including a large consortium of telecommunications companies, a major motion picture company and an e-commerce online auction service.

By 1998, Butler was living with Winters in a one-story San Jose apartment, where the couple started up their own Web-design company, Kimi Networks, records show. Reached by telephone yesterday, Winters hung up on a Chronicle reporter.

It was also from that apartment, according to the FBI, that Butler hacked into computers by using a computer software vulnerability known as a buffer overflow, which sends commands into a system that ordinarily would not be allowed.

Butler also allegedly invaded computers used by the Lawrence Berkeley National Laboratory. Vern Paxson, a computer scientist at the lab, noticed an online intruder conducting unauthorized scans of laboratory and UC Berkeley computers in May 1998 and used a monitoring device that later helped identify the source of the intrusions.

He isn't trying to break in. Your security device is pointing to an old web site. He used to write IDS signatures and maintain a online security database before he get sent up. The device is pointing to his old informational web pages, which haven't been active in years.

The ip listed, 82.54.68.248, is the blocked ip. Its an italian dial-up address. Probably, just some kids playing around.

Oh Rook, that was me....my bad.

they're onto you rook

so what firewall is this so i can use it

You should use this in conjunction with the router.

I have a router, but all this stuff is getting blocked by my firewall, so it's getting past the router.

Routers aren't nearly as good at stopping intrusions as a firewall - unless you have a nice expensive one by Cisco or the like. They mainly just sort-of hide your PC, but most don't do any active blocking or packet filtering.

Are all these viruses known to originate from that site or something? How does it determine the URL to reference?

edit: And all the IPs are from different locations, and on different providers. Just a few at random:


It's not like I was getting DDOS'd because there isn't a heavy enough volume of hits for that.

It looks like a bunch of script kiddies trying to hit my IP (among many others I'm sure) with these trojans - although I did notice two that look like IRC servers. But were all these trojans created by that guy's company or something?

what firewall is this?

The site is gone now, but was a very legit computer security site in 1999. The url is just a reference for your information. It is in the attack signature database, when triggered it prints the url as an fyi. Here is an example ruleset for an Network Intrusion Detection System (NIDS);


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,
established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-05
72; classtype:shellcode-detect; sid:1324; rev:6;)

Basically what this says, is if the NIDS sees an external host attempt to connect to port 22 to any host on my network and sees a "/bin/sh" in the re-assembled stream, it should flag the traffic and
reference bugtraq id 2347 (among others). That is this exploit;

http://www.securityfocus.com/bid/2347

which I found by typing 2347 in the securityfocus search bar.

Whitehats is just an old informational site, which makes me think your firewall has an old, highly forked version of gnu gpl'ed software running on it. The Whitehats database was called arachnids and was referenced by snort and the dragon sensors. The latest reference to it I could find was one from 2000, asking if anyone had a copy of it.

http://archives.neohapsis.com/archives/ ... /0256.html

No one uses it anymore, they reference to bugtraq, Common Vulnerabilities and Exposures (CVE), or CERT, often all three.



Some of these are false positives, some of them kids, but most are scanning bots. They scan machines in huge ip blocks pseudo-randomly usually looking for one open port. If the port reports back open, the bot launches an attack. Old attacks work because there will always be some machines running old unpatched software. Though these would be very long in the tooth.

These bots are common and in fact, if you look at the work the honeynet project has performed;

http://www.honeynet.org/

you will see that that most unpatched hosts last 5- 10 minutes on the internet. BTW, you will never see a url in an attack report only the ip, because performing dns lookups during a DDoS would close down your connection as well.

EDIT, I forgot to mention the most common means of controlling botnets is via irc. So don't be surprised that someone's irc server was compromised.

|33t H4XX0rZ

your new avatar:

If I have a router, does that have a built in firewall? Or should I use this in conjunction?

tech expert alert

Protowall is a good one to. Its basically the same thing as the azureus plug in but runs independent. Pain in the ass to install and get going but theres lots of faqs to help.

http://www.bluetack.co.uk/index.php

notice the question marks

On the other hand, how many |33t H4XX0rZ are interested in what you have on your computer?