Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

InfoSec Handlers Diary Blog

Log In or Sign Up for Free!

POP3 Server Brute Forcing Attempts Using Polycom Credentials

Published: 2013-07-31
Last Updated: 2013-07-31 16:26:38 UTC
by Johannes Ullrich (Version: 1)

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146] LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146] LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146] LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146] LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]


	

The interesting part is that the attacker used usernames that are usually associated
with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do
they usually include a POP3 server? Or do they require POP3 accounts for these 
credentials? 




	------

	Johannes B. Ullrich, Ph.D.

	SANS Technology Institute

	Twitter


Keywords: brute forcing polycom pop3 
3 comment(s)



    previous
    next
Top of page


  
  ×

  
  

  
  

Diary Archives


    
        
	    
	    
            Contact Us
                
		    Contact Us
                    About Us
                    Handlers
                
            
            Diary
            Podcasts
            Jobs
            Tools
                
                    DShield Sensor
		    DNS Looking Glass
                    Honeypot (RPi/AWS)
                    InfoSec Glossary
                    Fightback
                
            
            Data
                
                    HTTP Header Activity
                    TCP/UDP Port Activity
                    Port Trends
                    Presentations & Papers
                    SSH Scanning Activity
                    SSL CRL Activity
                    Suspicious Domains
                    Threat Feeds Activity
                    Threat Feeds Map
                    Useful InfoSec Links
		    Weblogs
		    Research Papers
                
            
            Forums
                
                    Auditing
                    Diary Discussions
                    Forensics
                    General Discussions
                    Industry News
                    Network Security
                    Penetration Testing
                    Software Security
                
            
        


Questions? Feedback?

Use our contact form or

report bugs here

For interactive help and to chat with other users, try our 

Slack group.



	
        YouTube
        Twitter
        LinkedIn
        ISC Feed
	
	
	
        Shop
        Link To Us
        About Us
        Handlers
        Privacy Policy
        Back To Top
	
	Developers: We have an API for you!