The company's founder and chief technology officer, Christopher Klaus, told ZDNet Australia by phone from Atlanta that the hacking of the xfiw.iss.net server was a part of their honeypot research.
"Just to clarify, the X-force Internet watch server that was available... was not a production server," he said.
ZDNet Australia yesterday reported the hack, prompting the company to post a statement on the X-force Internet watch server.
"As a normal course of their research, the ISS X-Force places servers on the Internet to monitor hacker activity, [the] propagation of Internet worms and to serve as targets for attack. These servers are known as honeypots," it said.
Whilst the server's "official and publicly promoted purpose was to make available to University students a free version of BlackICE... [it] was specifically selected to be a honeypot because of the association with university students and the well-known fact that students actively hack systems," the statement claims.
Klaus says the reason a legitimate iss.net domain name was used in order to attract a higher breed of attacker.
"We wanted to see from the perspective of 'we are a target'," he said.
Despite wanting to attract a more skilled type of hacker, the company claims the server was "configured to include numerous vulnerabilities, including several well-known, older vulnerabilities".
"From an X-force perspective we're looking at ways to collect new worms, vulnerabilities etcetera," Klaus said. "In this case we did get a back door script".
So was it a software distribution host or a honeypot? I doubt that any University would be very happy about students downloading (potentially modified) BlackIce distributions from a compromised server?
An irresponsible method of software distribution (particularly software that is associated with security), and not a good way to woo potential future customers when they graduate...
My 2c only....