POP3 Server Brute Forcing Attempts Using Polycom Credentials
Our reader Pete submitted an interesting set of log entries from his POP3 server:
LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]
The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?
------Johannes B. Ullrich, Ph.D.
SANS Technology Institute
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
×
Diary Archives
Comments
A lot of SIP phone implementers set this to a weak password, and is frequently the same password used for a SIP registration secret, the administration web page for an Asterisk PBX, SSH access into the underlying Linux or *BSD OS, etc etc.
Anonymous
Jul 31st 2013
1 decade ago
Anonymous
Jul 31st 2013
1 decade ago
If a default config FTP server is used; the admin may have just created PlcmSpIp as a unix user, and neglected to prevent the PlcmSpIp user from having access to POP3, SSH, or other services running on the server.
Such boot servers might be open to the world.
An alternative username and password can be selected and provided in the URL string given by DHCP option 150.
Anonymous
Aug 2nd 2013
1 decade ago