Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: POP3 Server Brute Forcing Attempts Using Polycom Credentials SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
POP3 Server Brute Forcing Attempts Using Polycom Credentials

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:]
LOGIN FAILED, user=plcmspip, ip=[::ffff:]
LOGIN FAILED, user=plcmspip, ip=[::ffff:]
LOGIN FAILED, user=ts, ip=[::ffff:]
LOGIN FAILED, user=bsoft, ip=[::ffff:]

The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4307 Posts
ISC Handler
Jul 31st 2013
The user plcmspip is the default user name Polycom SoundPoint IP SIP phones use to download their config from FTP servers.

A lot of SIP phone implementers set this to a weak password, and is frequently the same password used for a SIP registration secret, the administration web page for an Asterisk PBX, SSH access into the underlying Linux or *BSD OS, etc etc.
Some Asterisk distributions (definitely Elasix, for instance) include POP3, IMAP, and SMTP services enabled by default.
The Polycom phones by default use username PlcmSpIp and password PlcmSpIp when downloading the config from the FTP server.

If a default config FTP server is used; the admin may have just created PlcmSpIp as a unix user, and neglected to prevent the PlcmSpIp user from having access to POP3, SSH, or other services running on the server.

Such boot servers might be open to the world.
An alternative username and password can be selected and provided in the URL string given by DHCP option 150.

146 Posts

Sign Up for Free or Log In to start participating in the conversation!