Is Greenbone hacking me?


#1

You might see UserAgent: Mozilla/5.0 [en] (X11, U; OpenVAS-VT 9.0.3) or UserAgent: Mozilla/5.0 [en] (X11, U; GBN-VT 9.0.3) in your log or observe other indicators of being scanned via the security tool OpenVAS-Scanner.

That does mean someone with a Greenbone Source Edition, a Greenbone Community Edition or a Greenbone Security Manager is scanning your system.

It does not automatically mean that Greenbone Networks is scanning your system! That being said, occasionally we are authorized to scan corporate servers to proof our product and also our Labs team executes non-invasive and light surveys for statistics. The Labs team uses the source IP 212.95.124.190. For sure, Greenbone Networks is not hacking you.

The scanning tool is a vulnerability scanner. It is designed to identify weaknesses that expose a attack vector in order to close or mitigate the attack vector. The tool does not actively aid to exploit the vulnerability, but it needs to use the same point of view as the tools used by real attackers. Ultimately this helps to improve the resilience of your IT infrastructure.

If you take a closer look at your log data you will see more scanning activity, not originating from Greenbone products. Most of them will not identify themselves.

This might be an authorized or an unauthorized activity.
Whether the unauthorized activity is legal not not legal is not easily answered for the entire globe. Plain scanning is usually not regarded illegal.

If you are concerned about the situation we recommend to follow two actions:

  1. Prevent the observed scanning activity.

    Configure your defense tools to block the IP address from where the activity originates. It might be a dynamic IP address, so blocking for a limited time might make more sense than blocking such IPs forever.

  2. Understand your own attack surface and take measures where needed.

    Since your are concerned with what you found, you might be unsure about the attack surface that your IT infrastructure exposes. Simply use one of the above listed tools to know the situation yourself and to take adequate measures making it much harder for the real attackers. Ultimately make it a continuous process and combine it with your defense tools.