This is highly interesting, S1 runs security attacks and tests on sec33.com; That's just not right! This was a little odd, sec33.com over the past several weeks has been being spidered by the S1 Corporation. Obviously because of the articles that were published on Internet Banking vendors and the S1 Corporation hack. It's obvious that the actions detailed in this posting were probably not sanctioned by management, and were more like the workings of some upset IS individuals. (the link to the log file in this posting has the network block listed) Well in an interesting turn of events, we here at sec33.com thought it necessary to take action against the offending IP and instead of dropping their packets, we decided to: <snip> if (strstr($REMOTE_ADDR, $bad[$i])) { echo(" <script language='javascript'>window.location='http://www.whitehouse.com'; </script> "); } <snip> Now as you can see, this is much more effective! If you were to visit http://www.whitehouse.com you would understand our logic. We do have to admit, this was a pretty funny thing to do. Had us laughing for hours! Besides, we just felt better. Not too many minutes after several IP's from the offending network block visited www.whitehouse.com we received several network attacks from the same class-c. Some of these included small DoS type attacks as well as full blown CGI scans. (The attacker(S1) was not all too smart, as they used IIS exploits on our Unix systems - Probably the same security staff that is protecting their customers. doh! ;-] ) Selective bits of the log files from the webserver can be viewed online @ http://www.sec33.com/scan_s1.txt ; I haven't take time to parse out the IDS. Sorry. If you pay attention to the server code on most of the requests you will see - 304! It was my thought that this was pushing the envelope as far as the law might be concerned. Should a corporation be allowed to attack private individuals for any reason? Shouldn't they be affected by the recourse of their actions? If it were in reverse, I would image that several men in suits and black sunglasses would make a little visit to Kelvin. Standard notifications were sent including notification to CERT, their upstream provider (Time Warner), S1 in Atlanta and their corporate attorneys. This was discussed with SecurityFocus earlier this afternoon and we are awaiting further information from Information Security at S1. The email that was sent to S1 can be found online as well, http://www.sec33.com/email_s1.html ... We'll see what happens. - The end ... for now. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 12:09:27 PDT