Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

POP3 Server Brute Forcing Attempts Using Polycom Credentials

Published: 2013-07-31
Last Updated: 2013-07-31 16:26:38 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:]
LOGIN FAILED, user=plcmspip, ip=[::ffff:]
LOGIN FAILED, user=plcmspip, ip=[::ffff:]
LOGIN FAILED, user=ts, ip=[::ffff:]
LOGIN FAILED, user=bsoft, ip=[::ffff:]

The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

3 comment(s)
Diary Archives