PCI Compliance Scanning at its worse..

Portal Home > Knowledgebase > Articles Database > PCI Compliance Scanning at its worse..

Posted by PhoneSupport, 07-04-2011, 04:30 PM
Hey, I've faced an interesting scenario, and I wonder if anyone else has faced this. For the past month or two we've been facing daily scans against our servers from various IP's of a scanning company, they use numerous XSS/Injection attempts against our systems (all flagged and blocked), and check the server software also. This is perfectly fine and normal for a daily security scan, but the issue is we didn't order it! It would seem someone else has ordered the service and targeting it at our servers. Whilst we already use similar technology, what concerns me is whether this is a growing trend and whether more policing should go with these "scan" type companies. Firstly, based on the fact we haven't consented to these scans, the fact they are attempting to hack in to our server would be deemed as computer hacking and abuse, under the law. Who would be liable, the scanning company for not doing the proper checks and actually committing these acts through their machines, or the user who has actually entered in our URL's, or may be both.. that is an interesting question. I spoke to one of their colleagues regarding the issue, the guy I spoke to seemed very puzzled (and a little bit ignorant), tried searching our domain and couldnt find an account and towards the end of the call tried turning it in to a sales call trying to encourage me to move our servers, DNS, and SSL/Scanning to their company to stop the issue occurring in the future (EEK!).. however, after explaining I don't pay for their services and these are our servers they are attacking, they advised the only way they can resolve this is if I obtain a court order. So, has anyone else faced this issue in the past? Is this a growing trend that needs to be resolved now rather than later? The results of such a scan could be highly valuable to the wrong user.. Kind Regards, Last edited by PhoneSupport; 07-04-2011 at 04:41 PM.
Posted by wartungsfenster, 07-04-2011, 06:26 PM
from my simple understanding, the most of these companies get an indemnification letter from their customer. but since they said they "would nonly stop for a court order" this seems to be a extremely unprofessional security company. still, if you use legal means (which sounds sensible in general) you should expect them to not handle that professionally either. I always had the plan for running a few honeypots and autoblocking people who try to hack there and maybe this would cause some relief for you. I think i'd go with a court order for real. I dealt with professional pen testers a few times and they weren't like that at all.
Posted by TonyB, 07-04-2011, 06:28 PM
We've had various PCI scanning systems scan various servers of ours without us asking for it. All we've done is blocked their IP's and moved on it's not worth the trouble of a court order. I'd do the same and just block their scanning IP addresses.
Posted by Steven, 07-06-2011, 01:18 AM
If they are scanning your shared servers, blame your customers not the companies. Your customers are requesting the scans. If they are not shared servers, just block the ips and move on.
Posted by TonyB, 07-06-2011, 01:25 AM
I won't mention the company but they were just hitting every single IP in succession in our ranges. 1.2.3.4 then 1.2.3.5 then 1.2.3.6 and so on. It was obviously not customer requested scan. Seems like a standard practice for some of them to just hit seemingly random IP's and work through entire ranges.
Posted by Steven, 07-06-2011, 01:37 AM
I have seen similar behavior, but only AFTER a requested scan was done.
Posted by PhoneSupport, 07-06-2011, 05:41 AM
Yes, additionally we do not hold any shared servers, and the only server affected is the one assigned to our administration panels, rather than our phone systems or our main site servers.