Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: POP3 Server Brute Forcing Attempts Using Polycom Credentials - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
POP3 Server Brute Forcing Attempts Using Polycom Credentials

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]

The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3630 Posts
ISC Handler
The user plcmspip is the default user name Polycom SoundPoint IP SIP phones use to download their config from FTP servers.

A lot of SIP phone implementers set this to a weak password, and is frequently the same password used for a SIP registration secret, the administration web page for an Asterisk PBX, SSH access into the underlying Linux or *BSD OS, etc etc.
Anonymous
Some Asterisk distributions (definitely Elasix, for instance) include POP3, IMAP, and SMTP services enabled by default.
Anonymous
The Polycom phones by default use username PlcmSpIp and password PlcmSpIp when downloading the config from the FTP server.

If a default config FTP server is used; the admin may have just created PlcmSpIp as a unix user, and neglected to prevent the PlcmSpIp user from having access to POP3, SSH, or other services running on the server.

Such boot servers might be open to the world.
An alternative username and password can be selected and provided in the URL string given by DHCP option 150.
Mysid

146 Posts

Sign Up for Free or Log In to start participating in the conversation!