Page 2 of 2 FirstFirst 12
Results 26 to 44 of 44
  1. #26
    We also have SM scans for ourselves (merchant bank required) and other clients. No issues to report either.
    Shared Hosting • Reseller Hosting • Managed Dedicated since 1999
    sales@certifiedhosting.com
    Toll Free 1.800.547.9995
    http://certifiedhosting.com

  2. #27
    Quote Originally Posted by programguy View Post

    Blocking an IP like metrics means any client using a merchant account for mc/v, etc via bank or other merchant will be unable to be certified and lose their ability to do business...and you will lose business.
    There are other ASV's, like mcafee and trustwave, both of which have somewhat better support teams.

    Quote Originally Posted by programguy View Post
    I suggest really going over all the logs and looking to see what is up. Security metrics would not have some lame username, it would say 'hey, I am security metrics' and then do some checks...
    No, I have clients using SM and they don't say "hey, I'm SM". They bombard the server, exactly like a dos, overscan our whole network, even devices not related to the client being scanned, etc.

    Quote Originally Posted by programguy View Post
    Unless you logs really show this, I would take a copy of all of them and send it to them in an email asking for help and if this was them.
    Don't bother trying to figure anything out with SM, they have the worst customer support I've dealt with in a long time. Took 3 weeks for them to resolve a simple false positive just in June. Their support replies to every contact with a cut n paste answer from a script. They don't actually READ your emails. And don't bother putting more than 1 point in your email, they won't read it - keep it simple, even if it means opening 11 tickets with them instead of 1.

  3. #28
    Quote Originally Posted by FastServ View Post
    The more likely case is that your box is overloaded to begin with so you should be worried more about optimizing your box to deal with an increase in traffic like this rather than complaining. Like I said, never, not once, has a securitymetrics PCI scan contributed significantly to the load of ANY of our Cpanel or dedicated boxes.
    We have (thankfully) only a few clients using SM. Their scan can and does push the load on a dual 5520 xeon with 16gb ram box from 0.5 (where it sits on average) to about 4. Luckily, even during the scan, the server still pushes content out pretty fast so it's never really been an issue. But even mcafee doesn't hit the servers as hard as SM.

  4. #29
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    ^^ Interesting your load shoots up like that. Sounds like you need to optimize some things. I imagine if you ever got dug or slashdotted your box would keel over completely. I've never witnessed any significant load caused by SM tests, but obviously it depends on the site being scanned and how well it can adapt to increased traffic.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  5. #30
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4
    Hackedprogmmer - Did you get your scans run?

  6. #31
    Join Date
    Jul 2000
    Location
    Liberty Hill, TX
    Posts
    338
    Quote Originally Posted by FastServ View Post
    We've been using security metrics for our PCI scanning (and several customers as well) and have never seen load issues with their scans even on busy Cpanel boxes. They do have a 'DDOS' option in their scanning which we have never enabled since it's optional (DUH!), but perhaps a malicious client or user purposely enabled this option and aimed the scan/attack at your server.
    Ditto here. We get a free account with them through our merchant bank for PCI Scans gratis with the account, and I've never seen load or scan issues at all (but I don't do the DDOS, either).

    When we've called for any problem, they've been great to work with.
    Jen Lepp
    “Customer service represents the heart of a brand in the hearts of its customers.” – Kate Nasser

  7. #32
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4
    Quote Originally Posted by Lhiannon View Post
    Ditto here. We get a free account with them through our merchant bank for PCI Scans gratis with the account,
    Well, it's not totally fee, you merchant processor is charging you an Annual Compliance Fee - it'd be cheaper if you could get out of that fee and pay SecurityMetrics the discounted rate for just being with a specific merchant processor, but it is somewhat nice that you don't have to keep a CC on file with them. Overall I have really enjoyed working with SM, I've enjoyed their professional customer service and TS.

  8. #33
    I use Linkpoint / First Data as my payment gateway for my ecommerce site, and I was contacted by Security Metrics stating that I must stay in compliance, otherwise I get charged a higher fee for transactions.

    My latest scan says I am non-compliant, and lists several issues relevant to active server pages, but I am on a linux box, and have no asp pages. Their scanning utility brings up bogus vulnerabilities and I'm thinking it might be time to find another gateway...

  9. #34
    Join Date
    Mar 2010
    Location
    Phenoix, AZ
    Posts
    4

    Vendor

    It doesn't matter who your merchant processor/bank/acquiring bank is, since 2007ish - any business that accepts credit cards has to have certificate of compliance. So even if you change processors - you'll still have to work with a company like Security Metrics. I would recommend calling their tech support. I know if you call them and ask specifically to talk to a "Scan Technician" you'll get better service. Dial 1.80.705.5700

    They have been a really great company to work with in my experience. They tell me the truth, unlike some of the processors that I've dealt with.

  10. #35

    Exclamation

    Security metrics is contracted by the major credit card companies to contact business owners and help them comply with the industry rules, not complying leaves a company open to loosing a minimum of 250K if credit information is lost or stolen from their system. Comply and your not liable, Dont comply and you will be fined out of business. Security metrics simply checks firewalls and systems for holes. Business owners are contacted so you as a developer or systems employee ect, may never know they have been given the ok to scan the companies computers. I know, I worked there and had the awfull job of trying to convey the importance of the scans to business owners. The fines are set up by the credit card companies so that if your system is compramised, The fines will amount to more than your company can handle, and out of business you will go. Call them and volunteer..it is the major credit card companies that have laid the ground rules, you need to follow. If you dont use credit info their scans are helpfull to detect port openings and other potential security issues. Former employee.......................

  11. #36
    Join Date
    Oct 2010
    Posts
    35
    Staying on topic. SM security scans will happen against websites that have merchant accounts contracted with SM even if the site owner doesn't authorize it. Their scans are aggressive and will simulate a ddos if you don't have protection in place. I've see the same IPs mentioned earlier suddenly open 100 threads on a website in less than a minute. I've chased down reported server outages and found this IP in the logs with more than 100 open connections before Apache crashed.

    I later thanked them for being my test base for security against ddos attacks and now when they come calling they're blocked in seconds and before they cause significant loads on any of my servers.

    What is disturbing is they don't require permission to attack a website or server. If a client has a merchant account with them and is ignoring their pleas for paying them to certify their website they "test" the guy's domain and /or the server he's on without permission. They'll kick off mod_security, flood protection and a host of other security features if you have them installed. If you have a server without good protection SM scans take that server offline in just minutes.

    SM random testing is a borderline illegal imo. As for the $250K penalty for not PCI compliance has anyone ever heard of a business paying such a price? I haven't and think PCI compliance is just another scam. I've read stories of many Credit Card companies having their databases compromised but I've never heard of any of them being find $250K because of it. :rant off:

  12. #37
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by ezstoresites View Post
    As for the $250K penalty for not PCI compliance has anyone ever heard of a business paying such a price? I haven't and think PCI compliance is just another scam. I've read stories of many Credit Card companies having their databases compromised but I've never heard of any of them being find $250K because of it. :rant off:
    PCI is *NOT* a SCAM and very much real. Based on your transaction level (how much you process each year) you are put in a certain tier for PCI Compliance.

    If you are required to do PCI and you get caught not doing it, I imagine you can be fined. I know you can be fined if you get hacked and they find out you were not PCI compliant at the time of your hack.

    PCI should be taken very seriously, sadly 1% of the people who use WHT feel that way.

  13. #38
    Good day:

    We've been using, and recommending SecurityMetrics.com for several years.

    They are a valid and authorized PCI compliance scanning company.

    If you block PCI scanning companies, basically you are telling your customers and the world you don't care about PCI compliance whatsoever.

    You are telling your customers and the world that they should take a hike and go to a company that cares about PCI compliance.

    Others who take PCI compliance seriously will thank those of you who block valid PCI compliance scanning companies for the increased business.

    Now, if any valid PCI compliance scanning vendor brings down a server (or comes close), then it should be investigated as to what happened.

    Is it a really cheap server that cannot take a lot? Or was the scan really abusive?

    If the former, invest in a better server with better infrastructure.

    If the latter, then work with the PCI compliance scanning vendor to tune down the scan.

    Or block valid PCI compliance scanning vendors, and tell your customers who need to be PCI compliant to take a hike -- you don't want their business.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  14. #39
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    I'm sorry but if a PCI scan brings down your webserver then you have some serious issues on your server. Someone sitting on your site holding down F5 would probably crash your server too. Have a server admin lock down and properly configure your server so it doesn't crash so easily.

    I have NEVER seen a properly configured server (and I'm talking dozens ranging from shared hosting to VPS to low and high end dedicated) crash under a securitymetrics PCI scan. Ever.

    On a side note I've dealt with a half dozen 'scanning' companies and by far, securitymetrics has the least false positives and is easiest to work with on the few that do pop up from time to time. I cringe at the thought of going up the support chain of certain other companies.
    Last edited by FastServ; 01-08-2012 at 03:31 PM.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  15. #40
    Join Date
    Oct 2010
    Posts
    35
    Wow it sounds like all the people that created this thread complaining about SM ddos'ing their servers must have no clue how to operate and manage a server. I wonder how they stay in business?

    I don't block their SM's IPs and never have. I have port flood protection and know they trigger it off at least once a week (as well as other bots). If you think there is a valid reason for a PCI scanning company to open more than 20 threads from a single IP in under 2 seconds against a website or server then you're probably not half as sharp at webhosting as you suppose you are. I consider any bot that ddos attacks a server a threat regardless of any conjured up security or customer benefit you suggest.

    You guys that have never experienced the SM bot taking down a server most likely don't monitor activity as close as those of us that have seen this. I paid for that type of (non)support for more than 5 years.

    I've hosted with plenty of large hosts on this forum (even the one that hosts this forum) before taking over the reigns myself and remember those days of calling tech support that had no clue why my servers went down but kindly did a "reboot". Um, thanks but why did it go down? Um, must have been a script or something, blah blah blah. But I haven't added any scripts and none have changed in months! Can't you look in a log or something? Nope they're too large and won't tell us why the server went down. What about network reports? No they won't tell us anything either. Basically I don't think in 5 years they EVER knew what took my servers down when they crashed. All they could do was bring them back up. That type of support led to a complete hijack of one of my dedi servers where the hacker got full root control of the server; supposedly from a "known linux kernel exploit" they hadn't "gotten around" to patching back in 2008. Yeah I've paid my dues with "managed support".

    You guys can criticize those of us that have seen this SM ddos bot but I can tell you since I started learning and managing all my own stuff and quit paying for managed support my servers and customers couldn't be happier. If a client of mine wants to have SM PCI security scans they're welcome to bring them on. I'll most likely get the port flood protection email notice within an hour saying they triggered it and were blocked. How many port flood protection notices do your servers produce and you read? Right, that's what I thought. Probably why you never saw this SM IP addy.

    My servers are better secured than anything I received from managed dedi host offerings that I paid for. They run months instead of days without reboots and are very predictable in performance. I'm still learning but I know I offer a better and more secure hosting package to my clients then I ever did when I was paying for managed support that thought an apf firewall was all I needed to secure a server. If you haven't seen the SM ddos bot it's mostly likely because you're not watching and turned notices off.

    Good luck but don't criticize or question a member's ability to manage equipment because you don't manage as closely as they do. I only have 19 dedis so I manage them very closely for exploits and attacks. If I had 100 or 500 I'd probably turn the notices off and would have never have seen this IP repeatedly surface in port flood reports. The bot is out there and will trigger port flood protection set at 20 connections under 2 seconds. I call that a threat but don't lose any sleep over it. =)

    Kind regards.

  16. #41
    Join Date
    Jun 2004
    Location
    New York, NY
    Posts
    376
    This thread is a prime example of chickens running around with their heads cut off.
    All My Data » From small shared web hosting accounts to powerful dedicated servers.
    Now offering Affordable UNIX shells and IRCd hosting!

  17. #42
    Join Date
    Jun 2005
    Posts
    3,455
    I think some of you forget one important part. Scanning for vulnerabilities and making penetration tetst without authorization is ilegal as far as I know on almost any network.

    Example, even Amazon requires you to fill a form if you install on their cloud a pen or vulnerability software, and they have to even white list the IPs for this.

    Also, every single TOS on almost all providers specify the same, that you cannot make port scanning and other penetration testings.

    Even commercial softwares for offensive security warn that you must get authorization from the network managers and of course server owners.

    As far as I know I think they did not allowed this company to make the testing. You cannot do PCI scanning, vulnerability scanning or penetration testing on a system without authorization unless its your own and you are doing it for security purposes.

    So let me resume it, if a company makes this tests without authorization they are considered to be attacking the persons equipment and network because you cannot possible expect the other party to know if they are doing it for security wide purposes or if one of their customers is using their service to actually detect a vulnerability on their competitors. The line is very thin between scanning to make a system safer or to hack it and if the admins are not aware of the scan I would consider it an attack.

    A serious company would never do security tests on a external system without authorization so I find it ratter amusing some of you defending this position or company which it seems from this thread did never received any authoring on the servers and equipments of this users complaining.

    I may be wrong but im not sure who they hire, where or why, but I did find in Google other people complaining about similar things. If anyone can hire them to scan an external system then its a big security flaw on their service which would be ironic as they are a security company. So one of the first steps they should do is to make sure people hiring their services are indeed using them to scan their own servers.

  18. #43
    Join Date
    Oct 2010
    Posts
    35
    Correct there are plenty of complaints about SM scans being viewed as DDoS attacks all over the web for those that know how to use Google. Defending any bot that attacks a server without warning or authorization is just silly.

    I've seen them take a server without flood protection completely off-line and after reboot come right back and do it again.

    Easy to call someone chicken little when it's not your equipment going down all the time. Hopefully when some managed host support techs read this thread they get an idea of where to look when customers complain that their server loads are normal and suddenly there is a large spike in CPU, memory and MySQL resources until the server goes down. I've read this scenario on here so many times by frustrated managed host buyers because their servers have to be rebooted 2-3 times A DAY!

    Typically the managed host providers tell the customers they must have broken scripts or abusing users on their servers causing the problems (scan the current threads right now and see these active complaints) and I'll almost guarantee you these customers are being hit by Burstnet bots, SM scans or something similar. It doesn't take a rocket scientist to realize a DDoS attack on a database driven website will send CPU, memory usage and MySQL queries through the roof. I'll go further to say I bet most of these "managed" host providers don't have any mod security or port flood protection enabled on their equipment either. Funny you'd think the "gurus" would know the importance of this protection and know servers without protection will likely be attacked relentlessly once they make an online presence.

    Not a day goes by all my servers don't see at least one attack and most the time multiple attacks in a day. Yet managed host providers STILL rent servers without any protection against these bots all the time. I don't give the bots a second thought anymore because my stuff is protected but I certainly understand the frustration of being on the phone listing to a tech tell me they're not sure why a server keeps going down all the time.

    The sky isn't falling; that was a bot is hammering until he got the boot.

  19. #44

    * securitymetrics.com is a scam

    They keep spamming me telling me there gonna charge me all this ridiculous money for a website I sold over a year ago. First of all any reputable company would NOT randomly just spam someone. The funny thing is not only do I no longer own the site these idiots are trying to collect money off I don't use any credit card facilities in the first place. They apparently get names off some illegal list of outdated merchants and spam the he.. out of them trying to scare them. They are a JOKE! Their spam messages go right to my junk folder so obviously they are read as spam. I sent them a letter warning them if they don't stop sending me multiple unsolicited emails I would report them and they continue to spam my email so they have since been reported. I suggest anyone who has the same problem with them report their emails to their internet service provider and they will get in big trouble. If a company is not abiding by the can spam act speaks volumes about them. So I would not pay them any mind. Like I said they are a joke and a scam.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Looking for some performance metrics
    By gocard in forum Hosting Security and Technology
    Replies: 2
    Last Post: 06-06-2007, 08:57 PM
  2. keyword metrics useful for appraising domains?
    By eidos in forum Domain Names
    Replies: 3
    Last Post: 06-06-2006, 07:02 PM
  3. How to be security update aware?
    By Jori in forum Hosting Security and Technology
    Replies: 5
    Last Post: 10-27-2003, 01:49 PM
  4. Any simple thinks I should be aware of? (security wise)
    By Volconvo in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-09-2003, 01:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •