POP3 Server Brute Forcing Attempts Using Polycom Credentials

Published: 2013-07-31
Last Updated: 2013-07-31 16:26:38 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]

The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 comment(s)

Comments

The user plcmspip is the default user name Polycom SoundPoint IP SIP phones use to download their config from FTP servers.

A lot of SIP phone implementers set this to a weak password, and is frequently the same password used for a SIP registration secret, the administration web page for an Asterisk PBX, SSH access into the underlying Linux or *BSD OS, etc etc.
Some Asterisk distributions (definitely Elasix, for instance) include POP3, IMAP, and SMTP services enabled by default.
The Polycom phones by default use username PlcmSpIp and password PlcmSpIp when downloading the config from the FTP server.

If a default config FTP server is used; the admin may have just created PlcmSpIp as a unix user, and neglected to prevent the PlcmSpIp user from having access to POP3, SSH, or other services running on the server.

Such boot servers might be open to the world.
An alternative username and password can be selected and provided in the URL string given by DHCP option 150.

Diary Archives