Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: New Scans for Polycom Autoconfiguration Files - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Scans for Polycom Autoconfiguration Files

One of my honeypots detected a nice scan yesterday. A bot was looking for Polycom master provisioning files. Such files are called by default '000000000000.cfg’ and contain interesting information to perform provisioning of VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-based configuration, it will pull the default file.

Here is the list of scanned files:

/cfgvoip/polycom/0000000000000.cfg
/configs/device/polycom/0000000000000.cfg
/device/polycom/0000000000000.cfg
/ftp/polycom/0000000000000.cfg
/bws/provisioner/polycom/0000000000000.cfg
/config/sipphone/polycom/0000000000000.cfg
/polycomftp/0000000000000.cfg
/p/config/polycom/0000000000000.cfg
/vcfg/polycom/0000000000000.cfg
/pbx/polycom/0000000000000.cfg
/home/tftpboot/polycom/0000000000000.cfg
/config/tftp/polycom/0000000000000.cfg
/pps/polycom/0000000000000.cfg
/tftproot/polycom/0000000000000.cfg
/xml/polycom/0000000000000.cfg
/app/polycom/0000000000000.cfg
/ipeconfig/polycom/0000000000000.cfg
/p/v2/config/polycom/0000000000000.cfg
/tftpboot/polycom/0000000000000.cfg
/SIPCfg/0000000000000.cfg
/voip_provisioning/0000000000000.cfg
/tftpboot/backup/0000000000000.cfg
/tftpphone/0000000000000.cfg
/voice/0000000000000.cfg
/files/0000000000000.cfg
/provisioner/0000000000000.cfg
/phoneprov/0000000000000.cfg
/pbxcfg/0000000000000.cfg
/l/0000000000000.cfg
/cfgsip/0000000000000.cfg
/cfgs/0000000000000.cfg
/sipphones/0000000000000.cfg
/cfgvoice/0000000000000.cfg
/sip_phone/0000000000000.cfg
/deskphone/0000000000000.cfg
/PP/0000000000000.cfg
/backup/0000000000000.cfg
/cfgvoip/0000000000000.cfg
/configs/device/0000000000000.cfg
/device/0000000000000.cfg
/ftp/0000000000000.cfg
/bws/provisioner/0000000000000.cfg
/config/sipphone/0000000000000.cfg
/p/config/0000000000000.cfg
/vcfg/0000000000000.cfg
/pbx/0000000000000.cfg
/home/tftpboot/0000000000000.cfg
/config/tftp/0000000000000.cfg
/pps/0000000000000.cfg
/tftproot/0000000000000.cfg
/xml/0000000000000.cfg
/app/0000000000000.cfg
/ipeconfig/0000000000000.cfg
/p/v2/config/0000000000000.cfg
/tftpboot/0000000000000.cfg
/devicecfg/0000000000000.cfg
/configpolycom/0000000000000.cfg
/voip/0000000000000.cfg
/phone/config/0000000000000.cfg
/config/phone/0000000000000.cfg
/voipprov/0000000000000.cfg
/cfgprov/0000000000000.cfg
/sip/config/0000000000000.cfg
/sip/0000000000000.cfg
/voipconfig/0000000000000.cfg
/tftp/0000000000000.cfg
/cfg/config/0000000000000.cfg
/sipphone/0000000000000.cfg
/devicecfg/polycom/0000000000000.cfg
/polycom/config/0000000000000.cfg
/sip/config/polycom/0000000000000.cfg
/polycom/phones/0000000000000.cfg
/sip/polycom/0000000000000.cfg
/polycom/phone/0000000000000.cfg
/sipphone/polycom/0000000000000.cfg
/config/phone/polycom/0000000000000.cfg
/cfg/config/polycom/0000000000000.cfg
/tftp/polycom/0000000000000.cfg
/voip/polycom/0000000000000.cfg
/phone/config/polycom/0000000000000.cfg
/voipconfig/polycom/0000000000000.cfg
/home/polycom/0000000000000.cfg
/cfgprov/polycom/0000000000000.cfg
/voipprov/polycom/0000000000000.cfg
/polycom/polycom/0000000000000.cfg
/autoprpvisioning/polycom/0000000000000.cfg
/autoprpvision/polycom/0000000000000.cfg
/autoprpv/polycom/0000000000000.cfg
/autoprovisioning/polycom/0000000000000.cfg
/autoprovision/polycom/0000000000000.cfg
/autoprov/polycom/0000000000000.cfg
/phones/polycom/0000000000000.cfg
/phone/polycom/0000000000000.cfg
/configs/polycom/0000000000000.cfg
/config/polycom/0000000000000.cfg
/conf/polycom/0000000000000.cfg
/cfg/polycom/0000000000000.cfg
/provisioning/polycom/0000000000000.cfg
/provision/polycom/0000000000000.cfg
/prov/polycom/0000000000000.cfg
/pv/polycom/0000000000000.cfg
/p/polycom/0000000000000.cfg
/polycom/0000000000000.cfg
/autoprpvisioning/0000000000000.cfg
/autoprpvision/0000000000000.cfg
/autoprpv/0000000000000.cfg
/autoprovisioning/0000000000000.cfg
/autoprovision/0000000000000.cfg
/autoprov/0000000000000.cfg
/phones/0000000000000.cfg
/phone/0000000000000.cfg
/configs/0000000000000.cfg
/config/0000000000000.cfg
/conf/0000000000000.cfg
/cfg/0000000000000.cfg
/provisioning/0000000000000.cfg
/provision/0000000000000.cfg
/prov/0000000000000.cfg
/pv/0000000000000.cfg
/p/0000000000000.cfg
/0000000000000.cfg

The IP address was %%ip:185.53.88.96% and has a bad score in our DShield database.

Such configuration files contain very sensitive information about internal networks and should never be publicly available. If you detected the same kind of scan recently, please share!

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

484 Posts
ISC Handler
We receive the same scan in the same ip
Anonymous

Sign Up for Free or Log In to start participating in the conversation!