Network attack from S1 Corporation

From: Kelvin (kelvinat_private)
Date: Wed Jul 25 2001 - 11:35:23 PDT

  • Next message: Don Hammond: "Re: Tracking SirCam"

    This is highly interesting, S1 runs security attacks and tests on sec33.com;
    That's just not right!
    
    This was a little odd, sec33.com over the past several weeks has been being
    spidered by the S1 Corporation. Obviously because of the articles that were
    published on Internet Banking vendors and the S1 Corporation hack. It's
    obvious that the actions detailed in this posting were probably not
    sanctioned by management, and were more like the workings of some upset IS
    individuals. (the link to the log file in this posting has the network block
    listed)
    
    Well in an interesting turn of events, we here at sec33.com thought it
    necessary to take action against the offending IP and instead of dropping
    their packets, we decided to:
    
    <snip>
    if (strstr($REMOTE_ADDR, $bad[$i])) {
        echo("    <script
    language='javascript'>window.location='http://www.whitehouse.com';
                      </script>
                ");
    }
    <snip>
    
    Now as you can see, this is much more effective! If you were to visit
    http://www.whitehouse.com you would understand our logic. We do have to
    admit, this was a pretty funny thing to do. Had us laughing for hours!
    Besides, we just felt better. Not too many minutes after several IP's from
    the offending network block visited www.whitehouse.com we received several
    network attacks from the same class-c. Some of these included small DoS type
    attacks as well as full blown CGI scans. (The attacker(S1) was not all too
    smart, as they used IIS exploits on our Unix systems - Probably the same
    security staff that is protecting their customers. doh! ;-] )
    
    Selective bits of the log files from the webserver can be viewed online @
    http://www.sec33.com/scan_s1.txt ; I haven't take time to parse out the IDS.
    Sorry.
    
    If you pay attention to the server code on most of the requests you will
    see - 304!
    
    It was my thought that this was pushing the envelope as far as the law might
    be concerned. Should a corporation be allowed to attack private individuals
    for any reason? Shouldn't they be affected by the recourse of their actions?
    If it were in reverse, I would image that several men in suits and black
    sunglasses would make a little visit to Kelvin.
    
    Standard notifications were sent including notification to CERT, their
    upstream provider (Time Warner), S1 in Atlanta and their corporate
    attorneys.
    
    This was discussed with SecurityFocus earlier this afternoon and we are
    awaiting further information from Information Security at S1. The email that
    was sent to S1 can be found online as well,
    http://www.sec33.com/email_s1.html
    
    ... We'll see what happens. - The end ... for now.
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 12:09:27 PDT