Network attack from S1 Corporation

From: Kelvin (kelvin@sec33.com)
Date: 07/25/01


Message-ID: <007301c11538$a30bb590$760b12ac@chilf758aus>
From: "Kelvin" <kelvin@sec33.com>
To: <intrusion@sec33.com>, <incidents@securityfocus.com>
Subject: Network attack from S1 Corporation
Date: Wed, 25 Jul 2001 13:35:23 -0500

This is highly interesting, S1 runs security attacks and tests on sec33.com;
That's just not right!

This was a little odd, sec33.com over the past several weeks has been being
spidered by the S1 Corporation. Obviously because of the articles that were
published on Internet Banking vendors and the S1 Corporation hack. It's
obvious that the actions detailed in this posting were probably not
sanctioned by management, and were more like the workings of some upset IS
individuals. (the link to the log file in this posting has the network block
listed)

Well in an interesting turn of events, we here at sec33.com thought it
necessary to take action against the offending IP and instead of dropping
their packets, we decided to:

<snip>
if (strstr($REMOTE_ADDR, $bad[$i])) {
    echo(" <script
language='javascript'>window.location='http://www.whitehouse.com';
                  </script>
            ");
}
<snip>

Now as you can see, this is much more effective! If you were to visit
http://www.whitehouse.com you would understand our logic. We do have to
admit, this was a pretty funny thing to do. Had us laughing for hours!
Besides, we just felt better. Not too many minutes after several IP's from
the offending network block visited www.whitehouse.com we received several
network attacks from the same class-c. Some of these included small DoS type
attacks as well as full blown CGI scans. (The attacker(S1) was not all too
smart, as they used IIS exploits on our Unix systems - Probably the same
security staff that is protecting their customers. doh! ;-] )

Selective bits of the log files from the webserver can be viewed online @
http://www.sec33.com/scan_s1.txt ; I haven't take time to parse out the IDS.
Sorry.

If you pay attention to the server code on most of the requests you will
see - 304!

It was my thought that this was pushing the envelope as far as the law might
be concerned. Should a corporation be allowed to attack private individuals
for any reason? Shouldn't they be affected by the recourse of their actions?
If it were in reverse, I would image that several men in suits and black
sunglasses would make a little visit to Kelvin.

Standard notifications were sent including notification to CERT, their
upstream provider (Time Warner), S1 in Atlanta and their corporate
attorneys.

This was discussed with SecurityFocus earlier this afternoon and we are
awaiting further information from Information Security at S1. The email that
was sent to S1 can be found online as well,
http://www.sec33.com/email_s1.html

... We'll see what happens. - The end ... for now.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Risks Digest 27.16
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Security Firm Bit9 Hacked, Used to Spread Malware Security Firm ... Super Bowl blackout was caused by electrical relay ... The timing of the attacks coincided ...
    (comp.risks)
  • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
    ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
    (soc.retirement)
  • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
    ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
    (soc.retirement)
  • How many people did Romneys tax payment % KILL?
    ... Obama Scrambles For Cover As Benghazi Lie Explodes ... White House had been informed on day one that al-Qaeda terrorists were ... attacks on Americans in Libya. ... communicating the special 9/11 security threat, ...
    (rec.arts.tv)
  • Risks Digest 27.03
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... GAO recommendations on medical device security ... Cyber Attacks on Banks Expose U.S. Infrastructure Vulnerability ...
    (comp.risks)