Page 1 of 2 12 LastLast
Results 1 to 25 of 44
  1. #1

    Be aware. Security Metrics

    I want to know if someone has more info on this company securitymetrics.com

    Today a hosted client received allot of traffic. Someone scanning to the last file of this wordpress install. Guess what. The IP was from Security Metrics "204.238.82.20"

    Even his logs shows it.

    I would not wonder about it, since they seem to be a PCI certification service and they would probably just scan their website for security. But I know McAffe and most scans only do the scans on the owners website after verification, and do it at a moderate crawl speed.

    This scan was not normal. It was like a small DOS attack. The load spiked and it scanned hundreds of urls on the same time for my hosted client.

    What really wonders me is why the same IP is trying to hack the cPanel. Ok. Maybe its part of their certification not a problem. The problem starts when they do the same on the server hosted for out main website, which by the case is not the same as the client. Since when does a certification also scans the host website and the clients servers?

    The client on the phone, said he doesn't even heard the name of them.

    So this IP is attacking a clients website, and trying to hack several servers. Nice. I wonder what a real scam this company must be that someone can pay them to scan websites which dont belong to them.
    The IPs are blocked and unless there is a real explanation for this, why they scanned the clients website and then tried to log into our own personal servers as well we are going to report this company. If someone hired them to hack the clients website, which I think is the case. They are really unprofessional as they should only allow to scan servers you own. Is clear that we suspect who it was, as the client already told us about this. They seem to have paid Securiy Metrics to find holes not only the clients website but on ours as well.

    Be aware. We are going to contact them first and then go to their upstreams providers if the explanation is not enough.

  2. #2
    Well by any means dos / hacking is extremely illegal, so yes i would contact them and or there provider about this situation, best of luck!
    http://www.caperhosting.net - web/shells/ircd/shoutcast hosting!
    Live Chat sales/support on website
    WHMCS billing system and client login
    CaperHosting.net We care about everyone!

  3. #3
    Confirmed again with the client. He doest even know what PCI scan is.

    What wonders me is that not only did they a full scan (to the last file, css, image) of his website, the load increased 4 points, but they tried to hack into the cPanel not only of his website but from a server which uses our DNS as well.

    We have send this company a email and we want to know who hired them to find holes.
    Why would someone bother to scan websites which arent his, and try to inject PHP codes and scripts into databases? Make your own conclusion.

    What I did not knew is that hackers hired companies do to it. I suspect the hacker has money and is lazy so he hires a certification to first find the holes he can exploit.

  4. #4
    Join Date
    Jun 2006
    Location
    Devon, UK
    Posts
    1,307
    That's why we use Login Failure Daemon, if an ip attempts to access cPanel too many times, they get a ban.

  5. #5
    Quote Originally Posted by FS - Mike View Post
    That's why we use Login Failure Daemon, if an ip attempts to access cPanel too many times, they get a ban.
    Yes, we too.

    21 failed login attempts to account srpnbhqj (system) -- Large number of attempts from this IP: 204.238.82.20

    We, use allot of security measures. We spot the attack in minutes. Most injections where stopped by mod security and other systems in place. It just botters me that this company allows someone to scan others servers and websites.

    Im excited to hear their explanation.

  6. #6
    Guess what guys. Security Metrics asked us information about who we are and our client. Ok. We provided names, websites, which they can check that their servers where hitting today and after we provide the info they reply:

    I am sorry sir for this inconvenience but I cannot provide you with any information about your clients because I do not know who your clients are until information is provided. Security Metrics is a certified PCI compliance scanning vendor. Normally the information is provided to us by merchant banks. I cannot disclose which merchant bank or any other information because I am not aware of who these clients are that you have spoken of. Thank you.

    So what, they cannot disclose who is the customer that is dossing and scanning our servers. Thats incredible. How in the first place do they let someone scan websites that don´t belong to their customers in the fist place. I suggest you all guys block all IPs from Security Metrics, as it seems there customers can scan what ever servers they like to find holes and hack them.

    Someone that uses their services tried to hack us and they don´t want to reveal their names.

  7. #7
    Join Date
    Jun 2006
    Location
    Devon, UK
    Posts
    1,307
    Then I would block their IP addresses at your firewall and bypass them completely. Never compromise on server security in my experience.

  8. #8
    Of course they are blocked. But is this suppose to be a responsible company that hides persons trying to compromise others servers?

    A little tip. The SM client that did this, is probably the ex hosting company where the client was hosted trying to hack his client back to proof how wonderful their service is. Thats my suspicious and the clients as well.

  9. #9
    Join Date
    Jun 2006
    Location
    Devon, UK
    Posts
    1,307
    That wouldn't surprise me. I've heard of companies doing that before (there was a VPS company that did it recently).

    Well good luck with it.

  10. #10
    Join Date
    Jul 2009
    Posts
    451
    okay, security metrics is a company that certifies a site for security for a client who is using a merchant account.

    It sounds like it was a shared server too.

    They pound the server to see if it is secure. They check all they can and really look for problems. If it is okay, they certify you and then the merchant will allow you to still accept credit cards.

    If it is a shared server, sounds like someone on there is using a real merchant account or has applied for one. Or perhaps gave the wrong info.

    HOWEVER.....just because an IP is used does not mean it was not forged.

    and when I see this
    ===============
    21 failed login attempts to account srpnbhqj (system) -- Large number of attempts from this IP: 204.238.82.20
    ===============

    It looks like a hacker pretending to be a different ip. I do not have access to other logs, but it would be important to see what they were 'attacking'.

    And they would not let you know jack unless you are the client who requested it.

    Blocking an IP like metrics means any client using a merchant account for mc/v, etc via bank or other merchant will be unable to be certified and lose their ability to do business...and you will lose business.

    I suggest really going over all the logs and looking to see what is up. Security metrics would not have some lame username, it would say 'hey, I am security metrics' and then do some checks...

    Unless you logs really show this, I would take a copy of all of them and send it to them in an email asking for help and if this was them.

    Sounds like a hacker faked it and in response the hacker won as you just took out one of the main certification companies for mastercard and visa from your servers.

    If this was just one client, and not a shared server, and he never heard of them and does not use a merchant, then it was a hacker and not metrics.

    IP blocking is not a cure, it is a way of hackers winning.


    http://securitymetrics.com/scanning.adp

  11. #11
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,785
    Security Metrics is a funny company and a real annoyance. It must have been almost a year ago they'd scan our IP ranges and cause cPanel's webdav to crash. We blocked their IP's as their constant scanning was pretty annoying. We confirmed it was indeed their scanning as we tried their free scan and it produced the same thing. Of course they did the original scans by just hitting every single IP in our range one after another. cPanel eventually fixed the crash bug caused by them which was nice. We never even wasted our time telling security metrics to stop it was just easier to block their ranges. I'd say they're up their on the annoyance level with some of the newer start up search engines who do not know the concept of limiting the number of requests a second they do.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and Cloud Hosting
    PHP 5.2.x - PHP 8.1.X Support!

  12. #12
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    We've simply blocked their IPs as well - our monitoring system detected a potential intrusion attempt a while back and it turned out to be this company running scans for no legitimate reasons.

    If they were simply to throttle their scans it wouldn't be such an issue.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  13. #13
    programguy, I know exactly how PCI certifications work and I can assure you its not done like Security Metrics does it.

    They hit the clients website alone, not the whole server. Like some other people said, it almost crashed the servers as they opened hundreds of connections trying to inject scripts via databases and some other code injections.

    I can assure you, the website that was hit runs on his own dedicated IP, not shared. And they only scanned that specific domain. Yes, there are other domains on the clients servers, but only his was scanned. It happens to be that he is setup with his own IP as well. Our website is also on its own server without any other websites.

    Minutes aways they hit our website servers, which is a complete different servers then the clients one. Our main company website. So they tried to hack into the clients website and ours. 2 servers. 2 dedicated IPs. 2 brute force attacks on both servers. The scan they only did on the clients website not ours, but they tried brute force attack on our servers as well.

    They refused to say who it was. As neither me or the client request this (yes I confirmed this on the phone). We use McAffe for PCI scans, and you need to verify your account and ID before using their service, you cannot scan any website and server that doesnt belong to you. Why would you?

    I would never block IPs from a real serious PCI certification company. It seems I was not the only persons that was hit by them on a really suspicious way.

    Nobody requested their services ever. Its clear someone or (allot) of people actually use their services to try to hack servers, finding holes and outdated software. I dont care if a client uses their services, they dont run their company on a legitimate way. Otherwise they would not allow hackers to use their services. Deny me the info (someone that only indentifies as Ivan), shows they protect and even support this kind of use of their service. I dont recommend anyone to use this service and what bugs me is that someone that is their client wanted to hurt to us and they give him cover.

    I recommend all hosting companies to block all their IP ranges. You can be sure if you are scanned, its someone that wants to hack you. You think they run PCI scan for free on the Internet and they just scan servers at random so everybody is safe on the net? No. Somebody requested this. Someone entered the domains or IPs into their system and its not someone that wants a PCI certification, thats for sure. Its like using a email server for spam. They use their servers for illegal things.
    Last edited by PYDOT; 07-21-2009 at 11:42 PM.

  14. #14
    Join Date
    Jul 2009
    Posts
    451
    if it was truly them trying to hack into your computer then you have a full and legal right to sue them for civil and punitive damages.

    If they really do that (perhaps to drum up business) then they need to be destroyed legally.

    If you have the info, all you need is a lawyer. They got the money, I would definitely get a lawyer to send them a settlement letter and a cease and desist.

    I would demand an apology in the form of a check. Hacking is hacking, no matter who it is. And since you know who they are, burn them to the ground.

    Infact, if there are others who this company has willfully tried to brute force into, then a class action is enough to get the checks rolling.

    It is illegal to try to hack a computer and you have proof. Lawyer time.

  15. #15
    Join Date
    Jul 2009
    Posts
    451
    and at least you all should feel a bit secure that they could not hack in, or did not anyway.

    Very strange behavior for a company that is so public and works with credit card companies...but then again..the CC companies are g-d d-mn crooks anyway.

  16. #16
    Yes I have proofs, they don´t even deny it. They said they cannot give away the names of the banks they work with. Yea right, as a bank would try to hack me or my client.

  17. #17
    Join Date
    Jun 2006
    Location
    NYC / Memphis, TN
    Posts
    1,454
    Quote Originally Posted by PYDOT View Post
    programguy, I know exactly how PCI certifications work and I can assure you its not done like Security Metrics does it.

    They hit the clients website alone, not the whole server. Like some other people said, it almost crashed the servers as they opened hundreds of connections trying to inject scripts via databases and some other code injections.

    I can assure you, the website that was hit runs on his own dedicated IP, not shared. And they only scanned that specific domain. Yes, there are other domains on the clients servers, but only his was scanned. It happens to be that he is setup with his own IP as well. Our website is also on its own server without any other websites.

    Minutes aways they hit our website servers, which is a complete different servers then the clients one. Our main company website. So they tried to hack into the clients website and ours. 2 servers. 2 dedicated IPs. 2 brute force attacks on both servers. The scan they only did on the clients website not ours, but they tried brute force attack on our servers as well.

    They refused to say who it was. As neither me or the client request this (yes I confirmed this on the phone). We use McAffe for PCI scans, and you need to verify your account and ID before using their service, you cannot scan any website and server that doesnt belong to you. Why would you?

    I would never block IPs from a real serious PCI certification company. It seems I was not the only persons that was hit by them on a really suspicious way.

    Nobody requested their services ever. Its clear someone or (allot) of people actually use their services to try to hack servers, finding holes and outdated software. I dont care if a client uses their services, they dont run their company on a legitimate way. Otherwise they would not allow hackers to use their services. Deny me the info (someone that only indentifies as Ivan), shows they protect and even support this kind of use of their service. I dont recommend anyone to use this service and what bugs me is that someone that is their client wanted to hurt to us and they give him cover.

    I recommend all hosting companies to block all their IP ranges. You can be sure if you are scanned, its someone that wants to hack you. You think they run PCI scan for free on the Internet and they just scan servers at random so everybody is safe on the net? No. Somebody requested this. Someone entered the domains or IPs into their system and its not someone that wants a PCI certification, thats for sure. Its like using a email server for spam. They use their servers for illegal things.
    You do understand that during the PCI certification, depending on what the bank requires, they will do "penetration testing". Meaning... It is attempting to exploit the server in order to show vulnerability.

    Most companies are very cautious and require verification of ownership. If this is a shared system, they either had the IP wrong, or a customer signed up. They don't just test the site, they test the server attached to the IP.

    I wouldn't figure this to be malicious intent, my guess is one of your customers signed up for a scan or to accept credit cards with one of the companies which require PCI certs in order to hold credit card data locally.
    PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
    PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
    Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915

  18. #18
    Quote Originally Posted by serverorigin View Post
    You do understand that during the PCI certification, depending on what the bank requires, they will do "penetration testing". Meaning... It is attempting to exploit the server in order to show vulnerability.

    Most companies are very cautious and require verification of ownership. If this is a shared system, they either had the IP wrong, or a customer signed up. They don't just test the site, they test the server attached to the IP.

    I wouldn't figure this to be malicious intent, my guess is one of your customers signed up for a scan or to accept credit cards with one of the companies which require PCI certs in order to hold credit card data locally.
    I know that. Except I did NOT requested their tests. Neither did my client.

    It could be a mistake but you mean they made a mistake twice the same day on 2 different servers? One that runs our clients website, and the other one that runs our company website, which don´t share IPs. I don´t buy that.

    Its like slamming your car to the same person the same day and say it was a coincide. Its illegal to do penetrations test on system which you are not authorized.

  19. #19
    Join Date
    Jun 2006
    Location
    NYC / Memphis, TN
    Posts
    1,454
    *shrug* I agree but are those systems on the same subnet? It is possible it did a discovery and just hit everything in the subnet. May report it to your DC.
    PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
    PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
    Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915

  20. #20

    Security Metrics Strikes Again?

    Quote Originally Posted by PYDOT View Post
    Confirmed again with the client. He doest even know what PCI scan is.

    What wonders me is that not only did they a full scan (to the last file, css, image) of his website, the load increased 4 points, but they tried to hack into the cPanel not only of his website but from a server which uses our DNS as well.

    We have send this company a email and we want to know who hired them to find holes.
    Why would someone bother to scan websites which arent his, and try to inject PHP codes and scripts into databases? Make your own conclusion.

    What I did not knew is that hackers hired companies do to it. I suspect the hacker has money and is lazy so he hires a certification to first find the holes he can exploit.
    Pydot, thank you for starting this very important thread. One of my e-com clients just got hacked immediately following the most invasive scan I've ever seen.

    The scan was performed by Security Metrics. On Feb 2, 2010, scan2.securitymetrics.com came out of nowhere and hit every file on the site. The load equated to 66% (two thirds!) of our February data transfer. This is a site with over 7,500 visitors per month, so you can well imagine the intensity of the scan.

    One week later, hackers working out of Lithuania and Russia used a valid FTP password to upload new php files and alter existing files. They were also able to change permissions, but I'm not smart enough to know how that could be done with pure FTP. I suspect control panel access as well.

    The intent seems to have been to harvest our visitors into their botnet. In addition to a 1,000-line php file designed to access every port and allow our search form to be used as a login, the revised index.php contained 41 lines of additional code calling for specific processor memory locations.

    Security metrics does not work for my client's bank. We do not know who ordered the "blitzkrieg" scan one week prior to the hack. I have since advised my client to ignore them, and blocked all IPs and the Security Metrics domain from the site.

    For all like me who are wondering why SM is scanning their site, VISA maintains a list entitled "cisp-list-of-pcidss-compliant-service-providers.pdf" You can search bank names to find their Assessor / PCI company.

    Again, many thanks for bringing Security Metrics dubious practices to everyone's attention.
    Last edited by Web Lion; 02-28-2010 at 05:28 AM. Reason: Finessing

  21. #21
    Join Date
    Jul 2005
    Posts
    3,784
    This thread is silly.

  22. #22
    Quote Originally Posted by nerdie View Post
    This thread is silly.
    Like how? For ignorant peons like me, this is arguably helpful to learn something new.

  23. #23

    SecurityMetrics

    Hey guys thanks for the thread... This has been the only place where I have been able to find any legitimate info about the company. We had been receiving phone calls from them and I was putting it off until I could get more information from our credit card processing company. I am friends with a bank rep who set up the account and I asked her if she knew who SM was and what PCI compliance was? WHY would I have to deal with it? The company I work for is a NON-Profit organization and we take online donations! So we don't even really have access to any card holder data. My friend, Whitney Watson, who works for Arvest Bank and has association with Security Bankcard told me that she has worked a lot with SecurityMetrics and that I would need to fill out what she kept referring to as a "Self Assessment Questionnaire" and that they would have to do some scans on our website and on our servers because we host our own website.
    Whitney said that she works mostly with two people who work at SecurityMetrics named Scott Robinson and a Randy Blossum. SM is a Utah based company and apparently they travel all over the country and UK to create partnerships with other banks so that businesses who process credit cards will use them to get a certificate of PCI compliance. She went to a class they taught, a "webinar" and she said that others have had similar concerns about logging on to their webite and giving up any info, but that they are legit and they don't desing how the scans work. They run scans but they have to do it according to the standards that V/MC have set up for them. They are on some special scan vendor list at the PCI compliance home page.
    www pcisecuritystandards org
    I am going to call them and give them the IP's and I'll let you all know how it goes.

  24. #24
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4
    I've spoken to SM and haven't had any issues with getting info from them. I was somewhat surprised with how liberal they were with the info they had. I gave them a phone number, they told me my bosses Merchant ID number, the bank he was with, how long the account had been open, even gave me a name and phone number for the bank rep that set up the account. I am sure if you asked for a list of banks they were partnered with they would rattle it off or even email it to you. Our business got a certificate of compliance from SM, but we didn't need any scans. - Easy.

  25. #25
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    We've been using security metrics for our PCI scanning (and several customers as well) and have never seen load issues with their scans even on busy Cpanel boxes. They do have a 'DDOS' option in their scanning which we have never enabled since it's optional (DUH!), but perhaps a malicious client or user purposely enabled this option and aimed the scan/attack at your server.

    The more likely case is that your box is overloaded to begin with so you should be worried more about optimizing your box to deal with an increase in traffic like this rather than complaining. Like I said, never, not once, has a securitymetrics PCI scan contributed significantly to the load of ANY of our Cpanel or dedicated boxes.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

Page 1 of 2 12 LastLast

Similar Threads

  1. Looking for some performance metrics
    By gocard in forum Hosting Security and Technology
    Replies: 2
    Last Post: 06-06-2007, 08:57 PM
  2. keyword metrics useful for appraising domains?
    By eidos in forum Domain Names
    Replies: 3
    Last Post: 06-06-2006, 07:02 PM
  3. How to be security update aware?
    By Jori in forum Hosting Security and Technology
    Replies: 5
    Last Post: 10-27-2003, 01:49 PM
  4. Any simple thinks I should be aware of? (security wise)
    By Volconvo in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-09-2003, 01:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •