Network attack from S1 Corporation

["Kelvin" <kelvin () sec33 com>]

This is highly interesting, S1 runs security attacks and tests on sec33.com;
That's just not right!

This was a little odd, sec33.com over the past several weeks has been being
spidered by the S1 Corporation. Obviously because of the articles that were
published on Internet Banking vendors and the S1 Corporation hack. It's
obvious that the actions detailed in this posting were probably not
sanctioned by management, and were more like the workings of some upset IS
individuals. (the link to the log file in this posting has the network block
listed)

Well in an interesting turn of events, we here at sec33.com thought it
necessary to take action against the offending IP and instead of dropping
their packets, we decided to:

<snip>
if (strstr($REMOTE_ADDR, $bad[$i])) {
    echo("    <script
language='javascript'>window.location='http://www.whitehouse.com&apos;;
                  </script>
            ");
}
<snip>

Now as you can see, this is much more effective! If you were to visit
http://www.whitehouse.com you would understand our logic. We do have to
admit, this was a pretty funny thing to do. Had us laughing for hours!
Besides, we just felt better. Not too many minutes after several IP's from
the offending network block visited www.whitehouse.com we received several
network attacks from the same class-c. Some of these included small DoS type
attacks as well as full blown CGI scans. (The attacker(S1) was not all too
smart, as they used IIS exploits on our Unix systems - Probably the same
security staff that is protecting their customers. doh! ;-] )

Selective bits of the log files from the webserver can be viewed online @
http://www.sec33.com/scan_s1.txt ; I haven't take time to parse out the IDS.
Sorry.

If you pay attention to the server code on most of the requests you will
see - 304!

It was my thought that this was pushing the envelope as far as the law might
be concerned. Should a corporation be allowed to attack private individuals
for any reason? Shouldn't they be affected by the recourse of their actions?
If it were in reverse, I would image that several men in suits and black
sunglasses would make a little visit to Kelvin.

Standard notifications were sent including notification to CERT, their
upstream provider (Time Warner), S1 in Atlanta and their corporate
attorneys.

This was discussed with SecurityFocus earlier this afternoon and we are
awaiting further information from Information Security at S1. The email that
was sent to S1 can be found online as well,
http://www.sec33.com/email_s1.html

... We'll see what happens. - The end ... for now.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com