POP3 Server Brute Forcing Attempts Using Polycom Credentials
Our reader Pete submitted an interesting set of log entries from his POP3 server:
LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]
The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?
------Johannes B. Ullrich, Ph.D.
SANS Technology Institute
×
Diary Archives