PCI scan showing false positives on cloud-based server

Question

I've run a third-party PCI scan recently on my website, and my main domain cleared 100%.

The IP address, however, came up with some strange errors. It was claiming we were vulnerable to XSS attacks due to some CGIs that aren't even installed on our cloud server.

The XSS-prone vulnerabilities are as follows:

AgoraCart (agora.cgi)
Citrix NFuse Launch Scripts
DCP-Portal
Faq-O-Matic (fom.gci)
FastCGI
Oracle 9iAS (iSQLplus)
Pinnacle Showcenter
PsNews

Other than FastCGI, I hadn't even heard of most of these. I've looked through my server (sub-domains and /user and /etc folders as well, just in case), and could not find any indication that any of these were installed. I don't even have *.cgi files on the server.

My server is a cloud server hosted by Rackspace, with a dedicated IP address.

I am wondering the following:

Can the PCI scanner find files being used by others sharing the cloud server with me (i.e. different IP on same hardware)?
If yes, what can I do about this? Is it something that would prevent me from passing compliance?
If not, what are some possible causes for the scanner picking up these files? Am I looking in the wrong places here?

Almost forgot to mention: we've migrated to a new server a few months back. We had Plesk on the old server, but didn't keep it on the new server. I'm bringing it up since those seem like files that might come with Plesk.

Update regarding the scan:

The scan was run over my domain and IP address, and did not require the installation of any files.

Typically a good report includes the exact reason of why (which protocol, port, request options the scanner used and your server response + a bit of fluff interpreting that result ) a positive result for a certain vulnerability was reported. Otherwise, your own guess is probably better than ours. — HBruijn, Oct 22 '14 at 15:25
There's no generic way that scanners work that can answer whether or not they can pick up files across IPs on a cloud server? — jperezov, Oct 22 '14 at 15:26
@downvoter: care to explain the downvote? This doesn't seem off-topic. Scans are standardized amongst third-party vendors--it's just the interpretation of the results that differs. I feel that a question asking about the specifics of this is valid here. — jperezov, Oct 22 '14 at 15:33
I provided the information that was provided to me. I'm asking here _because_ it's limited. The only thing missing is the domain in question, but my company won't let me provide that information. — jperezov, Oct 22 '14 at 15:45
Are you saying that you're in a shared hosting environment? Shared hosting is not the same thing a "cloud server." To us, "cloud server" means "dynamically provisioned virtual machine running on unspecified hardware in someone else's datacenter," not "user account on a shared web server." Generic shared hosting is probably not appropriate for your business needs. — Skyhawk, Oct 22 '14 at 16:32

score 3 · Accepted Answer · answered Oct 22 '14 at 16:14

Your server's HTTP access logs should show you what their scan did. That's the first place you should be looking. It ought to stick out as a major anomaly, in contrast with your normal logs.

I am a little concerned when you say they scanned your "domain". Presumably they resolved a hostname in your domain to an IP address and scanned that. It would be helpful to you to know all the IP addresses they scanned and results for each IP address. If they didn't provide that then your third-party isn't doing a good job.

On the surface it sounds like the scanned the wrong thing, or scanned more than you asked them to.

Man, complete slip on my part to not think to look at the logs. Let me take a look at those and get back to you. Also, the third-party only lists one IP address scanned, although it's found files across all my sub-domains, so that doesn't seem right. — jperezov, Oct 22 '14 at 16:34

PCI scan showing false positives on cloud-based server

1 Answers1