This is a first for me. I was going over my server’s log report this morning and I noticed 218 authentication failures from a domain name that implies that the company does security consulting. I checked the site and sure enough, they’re a “tiger team.” Is this a new method of spam, getting their domain and IP in server logs to get admins to check them out?
If you think you’ve gotten scanned by the same company, their netblock is 18.104.22.168/24 but I don’t want to link to them directly. So are they scanning my server to get me to visit their site? The website comes up if you go to the IP, so someone checking out their obvious brute force attack would find it.
The strangest part about this is that if this is a ploy for business, it’s a bad one. Penetration testing requires a large amount of trust, and if you’re attacking my server to get my business you’re not exactly endearing yourself to me. It doesn’t rank high on the list of sound marketing decisions.
The only other scenario I can think of is if someone is using their tools to scan lots of servers, which would speak pretty poorly of the security testing company’s ability to secure things. Still bad publicity, but at least it doesn’t have the malicious intent of spamming.