Page 1 of 2 12 LastLast
Results 1 to 40 of 44
  1. #1

    Be aware. Security Metrics

    I want to know if someone has more info on this company securitymetrics.com

    Today a hosted client received allot of traffic. Someone scanning to the last file of this wordpress install. Guess what. The IP was from Security Metrics "204.238.82.20"

    Even his logs shows it.

    I would not wonder about it, since they seem to be a PCI certification service and they would probably just scan their website for security. But I know McAffe and most scans only do the scans on the owners website after verification, and do it at a moderate crawl speed.

    This scan was not normal. It was like a small DOS attack. The load spiked and it scanned hundreds of urls on the same time for my hosted client.

    What really wonders me is why the same IP is trying to hack the cPanel. Ok. Maybe its part of their certification not a problem. The problem starts when they do the same on the server hosted for out main website, which by the case is not the same as the client. Since when does a certification also scans the host website and the clients servers?

    The client on the phone, said he doesn't even heard the name of them.

    So this IP is attacking a clients website, and trying to hack several servers. Nice. I wonder what a real scam this company must be that someone can pay them to scan websites which dont belong to them.
    The IPs are blocked and unless there is a real explanation for this, why they scanned the clients website and then tried to log into our own personal servers as well we are going to report this company. If someone hired them to hack the clients website, which I think is the case. They are really unprofessional as they should only allow to scan servers you own. Is clear that we suspect who it was, as the client already told us about this. They seem to have paid Securiy Metrics to find holes not only the clients website but on ours as well.

    Be aware. We are going to contact them first and then go to their upstreams providers if the explanation is not enough.

  2. #2
    Well by any means dos / hacking is extremely illegal, so yes i would contact them and or there provider about this situation, best of luck!
    http://www.caperhosting.net - web/shells/ircd/shoutcast hosting!
    Live Chat sales/support on website
    WHMCS billing system and client login
    CaperHosting.net We care about everyone!

  3. #3
    Confirmed again with the client. He doest even know what PCI scan is.

    What wonders me is that not only did they a full scan (to the last file, css, image) of his website, the load increased 4 points, but they tried to hack into the cPanel not only of his website but from a server which uses our DNS as well.

    We have send this company a email and we want to know who hired them to find holes.
    Why would someone bother to scan websites which arent his, and try to inject PHP codes and scripts into databases? Make your own conclusion.

    What I did not knew is that hackers hired companies do to it. I suspect the hacker has money and is lazy so he hires a certification to first find the holes he can exploit.

  4. #4
    Join Date
    Jun 2006
    Location
    Devon, UK
    Posts
    1,307
    That's why we use Login Failure Daemon, if an ip attempts to access cPanel too many times, they get a ban.

  5. #5
    Quote Originally Posted by FS - Mike View Post
    That's why we use Login Failure Daemon, if an ip attempts to access cPanel too many times, they get a ban.
    Yes, we too.

    21 failed login attempts to account srpnbhqj (system) -- Large number of attempts from this IP: 204.238.82.20

    We, use allot of security measures. We spot the attack in minutes. Most injections where stopped by mod security and other systems in place. It just botters me that this company allows someone to scan others servers and websites.

    Im excited to hear their explanation.

  6. #6
    Guess what guys. Security Metrics asked us information about who we are and our client. Ok. We provided names, websites, which they can check that their servers where hitting today and after we provide the info they reply:

    I am sorry sir for this inconvenience but I cannot provide you with any information about your clients because I do not know who your clients are until information is provided. Security Metrics is a certified PCI compliance scanning vendor. Normally the information is provided to us by merchant banks. I cannot disclose which merchant bank or any other information because I am not aware of who these clients are that you have spoken of. Thank you.

    So what, they cannot disclose who is the customer that is dossing and scanning our servers. Thats incredible. How in the first place do they let someone scan websites that donīt belong to their customers in the fist place. I suggest you all guys block all IPs from Security Metrics, as it seems there customers can scan what ever servers they like to find holes and hack them.

    Someone that uses their services tried to hack us and they donīt want to reveal their names.

  7. #7
    Join Date
    Jun 2006
    Location
    Devon, UK
    Posts
    1,307
    Then I would block their IP addresses at your firewall and bypass them completely. Never compromise on server security in my experience.

  8. #8
    Of course they are blocked. But is this suppose to be a responsible company that hides persons trying to compromise others servers?

    A little tip. The SM client that did this, is probably the ex hosting company where the client was hosted trying to hack his client back to proof how wonderful their service is. Thats my suspicious and the clients as well.

  9. #9
    Join Date
    Jun 2006
    Location
    Devon, UK
    Posts
    1,307
    That wouldn't surprise me. I've heard of companies doing that before (there was a VPS company that did it recently).

    Well good luck with it.

  10. #10
    Join Date
    Jul 2009
    Posts
    442
    okay, security metrics is a company that certifies a site for security for a client who is using a merchant account.

    It sounds like it was a shared server too.

    They pound the server to see if it is secure. They check all they can and really look for problems. If it is okay, they certify you and then the merchant will allow you to still accept credit cards.

    If it is a shared server, sounds like someone on there is using a real merchant account or has applied for one. Or perhaps gave the wrong info.

    HOWEVER.....just because an IP is used does not mean it was not forged.

    and when I see this
    ===============
    21 failed login attempts to account srpnbhqj (system) -- Large number of attempts from this IP: 204.238.82.20
    ===============

    It looks like a hacker pretending to be a different ip. I do not have access to other logs, but it would be important to see what they were 'attacking'.

    And they would not let you know jack unless you are the client who requested it.

    Blocking an IP like metrics means any client using a merchant account for mc/v, etc via bank or other merchant will be unable to be certified and lose their ability to do business...and you will lose business.

    I suggest really going over all the logs and looking to see what is up. Security metrics would not have some lame username, it would say 'hey, I am security metrics' and then do some checks...

    Unless you logs really show this, I would take a copy of all of them and send it to them in an email asking for help and if this was them.

    Sounds like a hacker faked it and in response the hacker won as you just took out one of the main certification companies for mastercard and visa from your servers.

    If this was just one client, and not a shared server, and he never heard of them and does not use a merchant, then it was a hacker and not metrics.

    IP blocking is not a cure, it is a way of hackers winning.


    http://securitymetrics.com/scanning.adp

  11. #11
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,582
    Security Metrics is a funny company and a real annoyance. It must have been almost a year ago they'd scan our IP ranges and cause cPanel's webdav to crash. We blocked their IP's as their constant scanning was pretty annoying. We confirmed it was indeed their scanning as we tried their free scan and it produced the same thing. Of course they did the original scans by just hitting every single IP in our range one after another. cPanel eventually fixed the crash bug caused by them which was nice. We never even wasted our time telling security metrics to stop it was just easier to block their ranges. I'd say they're up their on the annoyance level with some of the newer start up search engines who do not know the concept of limiting the number of requests a second they do.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and VPS Hosting
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X & PHP 5.6.X & PHP 7.0.X Support!

  12. #12
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    We've simply blocked their IPs as well - our monitoring system detected a potential intrusion attempt a while back and it turned out to be this company running scans for no legitimate reasons.

    If they were simply to throttle their scans it wouldn't be such an issue.
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  13. #13
    programguy, I know exactly how PCI certifications work and I can assure you its not done like Security Metrics does it.

    They hit the clients website alone, not the whole server. Like some other people said, it almost crashed the servers as they opened hundreds of connections trying to inject scripts via databases and some other code injections.

    I can assure you, the website that was hit runs on his own dedicated IP, not shared. And they only scanned that specific domain. Yes, there are other domains on the clients servers, but only his was scanned. It happens to be that he is setup with his own IP as well. Our website is also on its own server without any other websites.

    Minutes aways they hit our website servers, which is a complete different servers then the clients one. Our main company website. So they tried to hack into the clients website and ours. 2 servers. 2 dedicated IPs. 2 brute force attacks on both servers. The scan they only did on the clients website not ours, but they tried brute force attack on our servers as well.

    They refused to say who it was. As neither me or the client request this (yes I confirmed this on the phone). We use McAffe for PCI scans, and you need to verify your account and ID before using their service, you cannot scan any website and server that doesnt belong to you. Why would you?

    I would never block IPs from a real serious PCI certification company. It seems I was not the only persons that was hit by them on a really suspicious way.

    Nobody requested their services ever. Its clear someone or (allot) of people actually use their services to try to hack servers, finding holes and outdated software. I dont care if a client uses their services, they dont run their company on a legitimate way. Otherwise they would not allow hackers to use their services. Deny me the info (someone that only indentifies as Ivan), shows they protect and even support this kind of use of their service. I dont recommend anyone to use this service and what bugs me is that someone that is their client wanted to hurt to us and they give him cover.

    I recommend all hosting companies to block all their IP ranges. You can be sure if you are scanned, its someone that wants to hack you. You think they run PCI scan for free on the Internet and they just scan servers at random so everybody is safe on the net? No. Somebody requested this. Someone entered the domains or IPs into their system and its not someone that wants a PCI certification, thats for sure. Its like using a email server for spam. They use their servers for illegal things.
    Last edited by PYDOT; 07-21-2009 at 11:42 PM.

  14. #14
    Join Date
    Jul 2009
    Posts
    442
    if it was truly them trying to hack into your computer then you have a full and legal right to sue them for civil and punitive damages.

    If they really do that (perhaps to drum up business) then they need to be destroyed legally.

    If you have the info, all you need is a lawyer. They got the money, I would definitely get a lawyer to send them a settlement letter and a cease and desist.

    I would demand an apology in the form of a check. Hacking is hacking, no matter who it is. And since you know who they are, burn them to the ground.

    Infact, if there are others who this company has willfully tried to brute force into, then a class action is enough to get the checks rolling.

    It is illegal to try to hack a computer and you have proof. Lawyer time.

  15. #15
    Join Date
    Jul 2009
    Posts
    442
    and at least you all should feel a bit secure that they could not hack in, or did not anyway.

    Very strange behavior for a company that is so public and works with credit card companies...but then again..the CC companies are g-d d-mn crooks anyway.

  16. #16
    Yes I have proofs, they donīt even deny it. They said they cannot give away the names of the banks they work with. Yea right, as a bank would try to hack me or my client.

  17. #17
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    Quote Originally Posted by PYDOT View Post
    programguy, I know exactly how PCI certifications work and I can assure you its not done like Security Metrics does it.

    They hit the clients website alone, not the whole server. Like some other people said, it almost crashed the servers as they opened hundreds of connections trying to inject scripts via databases and some other code injections.

    I can assure you, the website that was hit runs on his own dedicated IP, not shared. And they only scanned that specific domain. Yes, there are other domains on the clients servers, but only his was scanned. It happens to be that he is setup with his own IP as well. Our website is also on its own server without any other websites.

    Minutes aways they hit our website servers, which is a complete different servers then the clients one. Our main company website. So they tried to hack into the clients website and ours. 2 servers. 2 dedicated IPs. 2 brute force attacks on both servers. The scan they only did on the clients website not ours, but they tried brute force attack on our servers as well.

    They refused to say who it was. As neither me or the client request this (yes I confirmed this on the phone). We use McAffe for PCI scans, and you need to verify your account and ID before using their service, you cannot scan any website and server that doesnt belong to you. Why would you?

    I would never block IPs from a real serious PCI certification company. It seems I was not the only persons that was hit by them on a really suspicious way.

    Nobody requested their services ever. Its clear someone or (allot) of people actually use their services to try to hack servers, finding holes and outdated software. I dont care if a client uses their services, they dont run their company on a legitimate way. Otherwise they would not allow hackers to use their services. Deny me the info (someone that only indentifies as Ivan), shows they protect and even support this kind of use of their service. I dont recommend anyone to use this service and what bugs me is that someone that is their client wanted to hurt to us and they give him cover.

    I recommend all hosting companies to block all their IP ranges. You can be sure if you are scanned, its someone that wants to hack you. You think they run PCI scan for free on the Internet and they just scan servers at random so everybody is safe on the net? No. Somebody requested this. Someone entered the domains or IPs into their system and its not someone that wants a PCI certification, thats for sure. Its like using a email server for spam. They use their servers for illegal things.
    You do understand that during the PCI certification, depending on what the bank requires, they will do "penetration testing". Meaning... It is attempting to exploit the server in order to show vulnerability.

    Most companies are very cautious and require verification of ownership. If this is a shared system, they either had the IP wrong, or a customer signed up. They don't just test the site, they test the server attached to the IP.

    I wouldn't figure this to be malicious intent, my guess is one of your customers signed up for a scan or to accept credit cards with one of the companies which require PCI certs in order to hold credit card data locally.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  18. #18
    Quote Originally Posted by serverorigin View Post
    You do understand that during the PCI certification, depending on what the bank requires, they will do "penetration testing". Meaning... It is attempting to exploit the server in order to show vulnerability.

    Most companies are very cautious and require verification of ownership. If this is a shared system, they either had the IP wrong, or a customer signed up. They don't just test the site, they test the server attached to the IP.

    I wouldn't figure this to be malicious intent, my guess is one of your customers signed up for a scan or to accept credit cards with one of the companies which require PCI certs in order to hold credit card data locally.
    I know that. Except I did NOT requested their tests. Neither did my client.

    It could be a mistake but you mean they made a mistake twice the same day on 2 different servers? One that runs our clients website, and the other one that runs our company website, which donīt share IPs. I donīt buy that.

    Its like slamming your car to the same person the same day and say it was a coincide. Its illegal to do penetrations test on system which you are not authorized.

  19. #19
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    *shrug* I agree but are those systems on the same subnet? It is possible it did a discovery and just hit everything in the subnet. May report it to your DC.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  20. #20

    Security Metrics Strikes Again?

    Quote Originally Posted by PYDOT View Post
    Confirmed again with the client. He doest even know what PCI scan is.

    What wonders me is that not only did they a full scan (to the last file, css, image) of his website, the load increased 4 points, but they tried to hack into the cPanel not only of his website but from a server which uses our DNS as well.

    We have send this company a email and we want to know who hired them to find holes.
    Why would someone bother to scan websites which arent his, and try to inject PHP codes and scripts into databases? Make your own conclusion.

    What I did not knew is that hackers hired companies do to it. I suspect the hacker has money and is lazy so he hires a certification to first find the holes he can exploit.
    Pydot, thank you for starting this very important thread. One of my e-com clients just got hacked immediately following the most invasive scan I've ever seen.

    The scan was performed by Security Metrics. On Feb 2, 2010, scan2.securitymetrics.com came out of nowhere and hit every file on the site. The load equated to 66% (two thirds!) of our February data transfer. This is a site with over 7,500 visitors per month, so you can well imagine the intensity of the scan.

    One week later, hackers working out of Lithuania and Russia used a valid FTP password to upload new php files and alter existing files. They were also able to change permissions, but I'm not smart enough to know how that could be done with pure FTP. I suspect control panel access as well.

    The intent seems to have been to harvest our visitors into their botnet. In addition to a 1,000-line php file designed to access every port and allow our search form to be used as a login, the revised index.php contained 41 lines of additional code calling for specific processor memory locations.

    Security metrics does not work for my client's bank. We do not know who ordered the "blitzkrieg" scan one week prior to the hack. I have since advised my client to ignore them, and blocked all IPs and the Security Metrics domain from the site.

    For all like me who are wondering why SM is scanning their site, VISA maintains a list entitled "cisp-list-of-pcidss-compliant-service-providers.pdf" You can search bank names to find their Assessor / PCI company.

    Again, many thanks for bringing Security Metrics dubious practices to everyone's attention.
    Last edited by Web Lion; 02-28-2010 at 05:28 AM. Reason: Finessing

  21. #21
    Join Date
    Jul 2005
    Location
    In the Internets
    Posts
    3,622
    This thread is silly.
    StableHost .:. Unlimited web hosting done right. Experience the unlimited difference.
    PingThat .:. Is your website down? Find out now with our QuickChecker technology.

  22. #22
    Quote Originally Posted by nerdie View Post
    This thread is silly.
    Like how? For ignorant peons like me, this is arguably helpful to learn something new.

  23. #23

    SecurityMetrics

    Hey guys thanks for the thread... This has been the only place where I have been able to find any legitimate info about the company. We had been receiving phone calls from them and I was putting it off until I could get more information from our credit card processing company. I am friends with a bank rep who set up the account and I asked her if she knew who SM was and what PCI compliance was? WHY would I have to deal with it? The company I work for is a NON-Profit organization and we take online donations! So we don't even really have access to any card holder data. My friend, Whitney Watson, who works for Arvest Bank and has association with Security Bankcard told me that she has worked a lot with SecurityMetrics and that I would need to fill out what she kept referring to as a "Self Assessment Questionnaire" and that they would have to do some scans on our website and on our servers because we host our own website.
    Whitney said that she works mostly with two people who work at SecurityMetrics named Scott Robinson and a Randy Blossum. SM is a Utah based company and apparently they travel all over the country and UK to create partnerships with other banks so that businesses who process credit cards will use them to get a certificate of PCI compliance. She went to a class they taught, a "webinar" and she said that others have had similar concerns about logging on to their webite and giving up any info, but that they are legit and they don't desing how the scans work. They run scans but they have to do it according to the standards that V/MC have set up for them. They are on some special scan vendor list at the PCI compliance home page.
    www pcisecuritystandards org
    I am going to call them and give them the IP's and I'll let you all know how it goes.

  24. #24
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4
    I've spoken to SM and haven't had any issues with getting info from them. I was somewhat surprised with how liberal they were with the info they had. I gave them a phone number, they told me my bosses Merchant ID number, the bank he was with, how long the account had been open, even gave me a name and phone number for the bank rep that set up the account. I am sure if you asked for a list of banks they were partnered with they would rattle it off or even email it to you. Our business got a certificate of compliance from SM, but we didn't need any scans. - Easy.

  25. #25
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    We've been using security metrics for our PCI scanning (and several customers as well) and have never seen load issues with their scans even on busy Cpanel boxes. They do have a 'DDOS' option in their scanning which we have never enabled since it's optional (DUH!), but perhaps a malicious client or user purposely enabled this option and aimed the scan/attack at your server.

    The more likely case is that your box is overloaded to begin with so you should be worried more about optimizing your box to deal with an increase in traffic like this rather than complaining. Like I said, never, not once, has a securitymetrics PCI scan contributed significantly to the load of ANY of our Cpanel or dedicated boxes.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  26. #26
    Join Date
    Nov 2002
    Location
    So Cal
    Posts
    163

  27. #27
    Quote Originally Posted by programguy View Post

    Blocking an IP like metrics means any client using a merchant account for mc/v, etc via bank or other merchant will be unable to be certified and lose their ability to do business...and you will lose business.
    There are other ASV's, like mcafee and trustwave, both of which have somewhat better support teams.

    Quote Originally Posted by programguy View Post
    I suggest really going over all the logs and looking to see what is up. Security metrics would not have some lame username, it would say 'hey, I am security metrics' and then do some checks...
    No, I have clients using SM and they don't say "hey, I'm SM". They bombard the server, exactly like a dos, overscan our whole network, even devices not related to the client being scanned, etc.

    Quote Originally Posted by programguy View Post
    Unless you logs really show this, I would take a copy of all of them and send it to them in an email asking for help and if this was them.
    Don't bother trying to figure anything out with SM, they have the worst customer support I've dealt with in a long time. Took 3 weeks for them to resolve a simple false positive just in June. Their support replies to every contact with a cut n paste answer from a script. They don't actually READ your emails. And don't bother putting more than 1 point in your email, they won't read it - keep it simple, even if it means opening 11 tickets with them instead of 1.

  28. #28
    Quote Originally Posted by FastServ View Post
    The more likely case is that your box is overloaded to begin with so you should be worried more about optimizing your box to deal with an increase in traffic like this rather than complaining. Like I said, never, not once, has a securitymetrics PCI scan contributed significantly to the load of ANY of our Cpanel or dedicated boxes.
    We have (thankfully) only a few clients using SM. Their scan can and does push the load on a dual 5520 xeon with 16gb ram box from 0.5 (where it sits on average) to about 4. Luckily, even during the scan, the server still pushes content out pretty fast so it's never really been an issue. But even mcafee doesn't hit the servers as hard as SM.

  29. #29
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    ^^ Interesting your load shoots up like that. Sounds like you need to optimize some things. I imagine if you ever got dug or slashdotted your box would keel over completely. I've never witnessed any significant load caused by SM tests, but obviously it depends on the site being scanned and how well it can adapt to increased traffic.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  30. #30
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4
    Hackedprogmmer - Did you get your scans run?

  31. #31
    Join Date
    Jul 2000
    Location
    Liberty Hill, TX
    Posts
    338
    Quote Originally Posted by FastServ View Post
    We've been using security metrics for our PCI scanning (and several customers as well) and have never seen load issues with their scans even on busy Cpanel boxes. They do have a 'DDOS' option in their scanning which we have never enabled since it's optional (DUH!), but perhaps a malicious client or user purposely enabled this option and aimed the scan/attack at your server.
    Ditto here. We get a free account with them through our merchant bank for PCI Scans gratis with the account, and I've never seen load or scan issues at all (but I don't do the DDOS, either).

    When we've called for any problem, they've been great to work with.
    Jen Lepp
    “Customer service represents the heart of a brand in the hearts of its customers.” – Kate Nasser

  32. #32
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4
    Quote Originally Posted by Lhiannon View Post
    Ditto here. We get a free account with them through our merchant bank for PCI Scans gratis with the account,
    Well, it's not totally fee, you merchant processor is charging you an Annual Compliance Fee - it'd be cheaper if you could get out of that fee and pay SecurityMetrics the discounted rate for just being with a specific merchant processor, but it is somewhat nice that you don't have to keep a CC on file with them. Overall I have really enjoyed working with SM, I've enjoyed their professional customer service and TS.

  33. #33
    I use Linkpoint / First Data as my payment gateway for my ecommerce site, and I was contacted by Security Metrics stating that I must stay in compliance, otherwise I get charged a higher fee for transactions.

    My latest scan says I am non-compliant, and lists several issues relevant to active server pages, but I am on a linux box, and have no asp pages. Their scanning utility brings up bogus vulnerabilities and I'm thinking it might be time to find another gateway...

  34. #34
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4

    Vendor

    It doesn't matter who your merchant processor/bank/acquiring bank is, since 2007ish - any business that accepts credit cards has to have certificate of compliance. So even if you change processors - you'll still have to work with a company like Security Metrics. I would recommend calling their tech support. I know if you call them and ask specifically to talk to a "Scan Technician" you'll get better service. Dial 1.80.705.5700

    They have been a really great company to work with in my experience. They tell me the truth, unlike some of the processors that I've dealt with.

  35. #35

    Exclamation

    Security metrics is contracted by the major credit card companies to contact business owners and help them comply with the industry rules, not complying leaves a company open to loosing a minimum of 250K if credit information is lost or stolen from their system. Comply and your not liable, Dont comply and you will be fined out of business. Security metrics simply checks firewalls and systems for holes. Business owners are contacted so you as a developer or systems employee ect, may never know they have been given the ok to scan the companies computers. I know, I worked there and had the awfull job of trying to convey the importance of the scans to business owners. The fines are set up by the credit card companies so that if your system is compramised, The fines will amount to more than your company can handle, and out of business you will go. Call them and volunteer..it is the major credit card companies that have laid the ground rules, you need to follow. If you dont use credit info their scans are helpfull to detect port openings and other potential security issues. Former employee.......................

  36. #36
    Join Date
    Oct 2010
    Posts
    35
    Staying on topic. SM security scans will happen against websites that have merchant accounts contracted with SM even if the site owner doesn't authorize it. Their scans are aggressive and will simulate a ddos if you don't have protection in place. I've see the same IPs mentioned earlier suddenly open 100 threads on a website in less than a minute. I've chased down reported server outages and found this IP in the logs with more than 100 open connections before Apache crashed.

    I later thanked them for being my test base for security against ddos attacks and now when they come calling they're blocked in seconds and before they cause significant loads on any of my servers.

    What is disturbing is they don't require permission to attack a website or server. If a client has a merchant account with them and is ignoring their pleas for paying them to certify their website they "test" the guy's domain and /or the server he's on without permission. They'll kick off mod_security, flood protection and a host of other security features if you have them installed. If you have a server without good protection SM scans take that server offline in just minutes.

    SM random testing is a borderline illegal imo. As for the $250K penalty for not PCI compliance has anyone ever heard of a business paying such a price? I haven't and think PCI compliance is just another scam. I've read stories of many Credit Card companies having their databases compromised but I've never heard of any of them being find $250K because of it. :rant off:

  37. #37
    Join Date
    Jul 2005
    Location
    In the Internets
    Posts
    3,622
    Quote Originally Posted by ezstoresites View Post
    As for the $250K penalty for not PCI compliance has anyone ever heard of a business paying such a price? I haven't and think PCI compliance is just another scam. I've read stories of many Credit Card companies having their databases compromised but I've never heard of any of them being find $250K because of it. :rant off:
    PCI is *NOT* a SCAM and very much real. Based on your transaction level (how much you process each year) you are put in a certain tier for PCI Compliance.

    If you are required to do PCI and you get caught not doing it, I imagine you can be fined. I know you can be fined if you get hacked and they find out you were not PCI compliant at the time of your hack.

    PCI should be taken very seriously, sadly 1% of the people who use WHT feel that way.

  38. #38
    Good day:

    We've been using, and recommending SecurityMetrics.com for several years.

    They are a valid and authorized PCI compliance scanning company.

    If you block PCI scanning companies, basically you are telling your customers and the world you don't care about PCI compliance whatsoever.

    You are telling your customers and the world that they should take a hike and go to a company that cares about PCI compliance.

    Others who take PCI compliance seriously will thank those of you who block valid PCI compliance scanning companies for the increased business.

    Now, if any valid PCI compliance scanning vendor brings down a server (or comes close), then it should be investigated as to what happened.

    Is it a really cheap server that cannot take a lot? Or was the scan really abusive?

    If the former, invest in a better server with better infrastructure.

    If the latter, then work with the PCI compliance scanning vendor to tune down the scan.

    Or block valid PCI compliance scanning vendors, and tell your customers who need to be PCI compliant to take a hike -- you don't want their business.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  39. #39
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    I'm sorry but if a PCI scan brings down your webserver then you have some serious issues on your server. Someone sitting on your site holding down F5 would probably crash your server too. Have a server admin lock down and properly configure your server so it doesn't crash so easily.

    I have NEVER seen a properly configured server (and I'm talking dozens ranging from shared hosting to VPS to low and high end dedicated) crash under a securitymetrics PCI scan. Ever.

    On a side note I've dealt with a half dozen 'scanning' companies and by far, securitymetrics has the least false positives and is easiest to work with on the few that do pop up from time to time. I cringe at the thought of going up the support chain of certain other companies.
    Last edited by FastServ; 01-08-2012 at 03:31 PM.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  40. #40
    Join Date
    Oct 2010
    Posts
    35
    Wow it sounds like all the people that created this thread complaining about SM ddos'ing their servers must have no clue how to operate and manage a server. I wonder how they stay in business?

    I don't block their SM's IPs and never have. I have port flood protection and know they trigger it off at least once a week (as well as other bots). If you think there is a valid reason for a PCI scanning company to open more than 20 threads from a single IP in under 2 seconds against a website or server then you're probably not half as sharp at webhosting as you suppose you are. I consider any bot that ddos attacks a server a threat regardless of any conjured up security or customer benefit you suggest.

    You guys that have never experienced the SM bot taking down a server most likely don't monitor activity as close as those of us that have seen this. I paid for that type of (non)support for more than 5 years.

    I've hosted with plenty of large hosts on this forum (even the one that hosts this forum) before taking over the reigns myself and remember those days of calling tech support that had no clue why my servers went down but kindly did a "reboot". Um, thanks but why did it go down? Um, must have been a script or something, blah blah blah. But I haven't added any scripts and none have changed in months! Can't you look in a log or something? Nope they're too large and won't tell us why the server went down. What about network reports? No they won't tell us anything either. Basically I don't think in 5 years they EVER knew what took my servers down when they crashed. All they could do was bring them back up. That type of support led to a complete hijack of one of my dedi servers where the hacker got full root control of the server; supposedly from a "known linux kernel exploit" they hadn't "gotten around" to patching back in 2008. Yeah I've paid my dues with "managed support".

    You guys can criticize those of us that have seen this SM ddos bot but I can tell you since I started learning and managing all my own stuff and quit paying for managed support my servers and customers couldn't be happier. If a client of mine wants to have SM PCI security scans they're welcome to bring them on. I'll most likely get the port flood protection email notice within an hour saying they triggered it and were blocked. How many port flood protection notices do your servers produce and you read? Right, that's what I thought. Probably why you never saw this SM IP addy.

    My servers are better secured than anything I received from managed dedi host offerings that I paid for. They run months instead of days without reboots and are very predictable in performance. I'm still learning but I know I offer a better and more secure hosting package to my clients then I ever did when I was paying for managed support that thought an apf firewall was all I needed to secure a server. If you haven't seen the SM ddos bot it's mostly likely because you're not watching and turned notices off.

    Good luck but don't criticize or question a member's ability to manage equipment because you don't manage as closely as they do. I only have 19 dedis so I manage them very closely for exploits and attacks. If I had 100 or 500 I'd probably turn the notices off and would have never have seen this IP repeatedly surface in port flood reports. The bot is out there and will trigger port flood protection set at 20 connections under 2 seconds. I call that a threat but don't lose any sleep over it. =)

    Kind regards.

Page 1 of 2 12 LastLast

Similar Threads

  1. Looking for some performance metrics
    By gocard in forum Hosting Security and Technology
    Replies: 2
    Last Post: 06-06-2007, 08:57 PM
  2. keyword metrics useful for appraising domains?
    By eidos in forum Domain Names
    Replies: 3
    Last Post: 06-06-2006, 07:02 PM
  3. How to be security update aware?
    By Jori in forum Hosting Security and Technology
    Replies: 5
    Last Post: 10-27-2003, 01:49 PM
  4. Any simple thinks I should be aware of? (security wise)
    By Volconvo in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-09-2003, 01:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •