The number of attacks slowed dramatically with the removal of the malicious code from this Web page, but around 2PM things picked back up. I immediately investigated and found that the entry in the Web page had returned.
Because the site involved in this attack was an Internet Service Provider, we believed that they might be able to handle the incident without further action, however, when the attack returned, we decided to contact their provider to see if they could make a more convincing case. They apparently succeeded, and around 4PM the second round of this part of the incident ended - apparently for good.
During the afternoon, we got at least one sympathy striker who decided that he wanted to join the protest against responding to attempted entries. In his case, a button was added to his Web page to telnet into our site and the button was attached to the misleading statement:
Press here for a letter from a self-proclaimed computer security expert.
Since he informed me of his intent to participate, I indicated that I would add him to the recipient list of people getting copies of all postings related to attempted telnets and add his site name to the automated response message, and he agreed. He soon started getting an average of six emails per minute, and after an hour or two he emailed back requesting to be removed from the list. I indicated that I would either prevent all access from his network to ours or continue to keep him informed until he removed the misleading button. He protested! He felt that he should be able to mislead people into participating in an attack and still be able to access our Web site. In the end, the volume of email convinced him to cease all communication with all.net and his protest is probably still out there somewhere generating one attempt every few days.
During the afternoon I also called the FBI back (they hadn't called me back yet). They promised to call again before the end of the day, and went into a meeting.