As a security professional, we spend our time helping our organisation and clients in securing their infrastructure, but what should we do when WE are scanned?

I’ve noticed in my logs numerous attempts using web applications scanners, the latest one run on the 21st June using acunetix. . As you know this adds quite a bit of unnecessary traffic to your site, especially when you turn all the options on in the scanner and it basically runs all the web tests against each file and directory on your server. The following is a snapshot of the difference in traffic from the scan.

As you can see jumping from under 1000 requests to over 130,000 is quite a big jump.

Also got some recon using Google “site:gilbertverdian.com php”.

By the way that IP is the transparent proxy from http://www.tpg.com.au, an Australian ISP. Seems users from that ISP have been a little naughty lately.

My setup is quite standard, hosted by dreamhost, running wordpress, with mysql db and a couple of wordpress plugins. If someone wants to really break in, all you have to do is easily set up a vmware LAMP server using linux and install wordress… emulate this environment and have a go against your virtual host. You might even gain some 0day credits if you find some bugs.

I know in the past of other security professionals having their own server broken into (not mentioning any names johnny because they didn’t patch ssh about 4 years ago), but he admitted in getting lazy and not patching an old version and moved on…

So the question stands, what do we do about it? Should we follow this up with the ISP? Or just let it go? What do you guys do?