11,000 IP addresses found on accused hacker's PC

Police found a file containing more than 11,000 vulnerable servers on the PC owned by a teenager accused of attacking a US port with a massive DDoS attack, a court heard today

More than 11,000 IP addresses of vulnerable servers were found on the computer of a UK teenager that has been accused of launching a DDoS attack responsible for knocking out IT systems at the Port of Houston in Texas, Southwark Crown Court was told on Wednesday.

Aaron Caffrey, whose father is a software engineer and mother is a lecturer in IT, allegedly used a well-known 'Unicode' exploit to take advantage of vulnerabilities in Microsoft's IIS Web server software. His defence counsel has argued that unpatched security holes in Windows enabled someone to use Caffrey's computer to launch the attack.

Southwark Crown Court heard on Wednesday that on Caffrey's computer, which was forensically examined by the Computer Crime Squad three months after the attack took place, there was a file called webservers.txt that listed the IP addresses of 11,608 servers vulnerable to the Unicode exploit.

Cedric d'Ablis, a security architect at Cable and Wireless, gave evidence to the court on Wednesday. He examined Caffrey's computer in October 2002 -- 13 months after the attack took place. D'Ablis told the court that there was no legitimate reason why someone would have a list of IP addresses on their system.

D'Ablis also said that there was no evidence of a third party having accessed Caffrey's computer remotely in order to initiate the DDos attack. "I would expect to find a tool that would allow someone to do this. There are a number of tools but commonly, it would be a Trojan or a Trojan horse. I did not find one," he said.

However, d'Ablis admitted that during his examination of Caffrey's computer, he only looked for open ports and active Trojans. During cross examination, he said that according to the server logs, Caffrey's machine had been "probed regularly" and admitted that it was possible the system could have been compromised, with  the attack originating from a remote computer and made to look like it started from Caffrey's system. "Whenever something is installed on a computer, there are always traces of it somewhere on the system. But I did not look for these traces," he said.

The trial was almost adjourned for the day when a juror could not continue listening to evidence after suffering from a serious migraine. The judge, with agreement from the prosecution and defence counsels, agreed to continue with 11 jurors.

The case continues.