Comment Re:What would be the motive to submit such junk? (Score 2) 91
I've seen exactly this from supposedly respectable pen-test teams. Their recommendation was not to "yum update httpd" but just to go to apache.org. As if visiting the website was all the instructions they would ever need to provide. I was f**king livid. It got worse when I found they had left "bitcoin ransomware files" on the server. Yes the pen test team had credentials (some tests were 'white box' style ) so them gaining access wasn't a problem, and I'm OK with them being a bit irreverent but to not even put their name and email in the note was completely unprofessional. We nearly wiped the entire platform thinking we'd been hacked for real during the pen test. The guy responsible _and_ his manager got a severe bollocking when the truth got out.
Oh and they left a process running on one of the physical xeons listening on a certain port and running whatever you sent there as root. There were so many cores you couldn't see that one was pegged at 100% without looking carefully. I only spotted it from the command history which shows they don't clean up after themselves there either.
All future pen test discussions began with "so tell me what I'm going to see in my logs and how you're going to clean up after yourselves".