Re: Network attack from S1 Corporation

From: Kelvin (kelvinat_private)
Date: Thu Jul 26 2001 - 12:20:09 PDT

  • Next message: Michael Katz: "Vulernability in /cgi-bin/shopper.exe?"

    Interesting point,
    
    The scans and the web-spidering has been going on for weeks now, and strange
    enough a web data-collection company out of VA, was also spidering
    sec33.com. An email was sent to the IT department at S1 inquiring about the
    spidering but was never responded to, I waited another 4 days or so, then
    did the re-direct for their netblock. Minutes after the redirect started,
    they got very aggressive and began tool scans of the site.
    
    At this point, I thought if the situation were reversed this is would be
    very straight forward.
    
    I have been doing some more digging through the logfiles trying to
    identify/discover anything else that has been done, and / or determine other
    systems that might be connected to the original offending netblock. But am
    not having too much luck. They use random machines that belong to employees
    to scan and DoS the site.
    
    Today's logs show a series of refreshes in excess of 5000 or so on the
    index.html page but they are from an IP that is not anywhere near any of the
    previous.
    
    I wonder if they think that they are untouchable, and in many cases they may
    be. I am going to leave it lay for a while. Unless anyone has any better
    ideas on how to handle it. Maybe they will get bored. ;-\
    
    I am at a loss now.
    
    ----- Original Message -----
    From: "Sonny Samson" <sonofsamsonat_private>
    To: <kelvinat_private>
    Cc: <incidentsat_private>
    Sent: Thursday, July 26, 2001 1:43 PM
    Subject: Re: Network attack from S1 Corporation
    
    
    > Dear Kelvin,
    >
    > I was reviewing your email and log files about S1. The question came to my
    > mind was how do you know that S1's boxens were not owned by an outsider,
    > making them the double victim of both an exploiters efforts as well as the
    > victim of yours?
    >
    > If they can show that they were hacked and the script running of their
    boxes
    > were placed by another, are you likely to do jail time.  You certainly
    have
    > posted enough evidence to show your intent don't you think.
    >
    > Just a thought...
    >
    > Son of Samson
    >
    >
    >
    >
    >
    > _______________________________________________________
    > Send a cool gift with your E-Card
    > http://www.bluemountain.com/giftcenter/
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 12:27:51 PDT