Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

POP3 Server Brute Forcing Attempts Using Polycom Credentials

Published: 2013-07-31
Last Updated: 2013-07-31 16:26:38 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]

The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 comment(s)
Diary Archives