Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - POP3 Server Brute Forcing Attempts Using Polycom Credentials InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

POP3 Server Brute Forcing Attempts Using Polycom Credentials

Published: 2013-07-31
Last Updated: 2013-07-31 16:26:38 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]

The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 comment(s)
Diary Archives