JP Vossen on 7 Jun 2012 18:09:10 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] SSH brute force attacks using PlcmSpIp

May be of special interest to VoIP folks...

Today a non-public server I manage on a Comcast residential DHCP IP in NJ saw a small SSH brute-force attack from Virpus Networks. My own Linode hosted server was also attacked by them in Jan & Feb from and Today's attack was from

Virpus was unresponsive when I reported the attacks in January. They claimed they opened a ticket, but the attacks didn't stop, so I blacklisted them. I didn't bother to report it again today, I just blacklisted them again on the other server.

What is interesting is that:
* I run SSH on a very high, non-standard port, not TCP/22
* These guys are the *only* SSH brute force attacks in my recent memory
* There is nothing to connect these 2 servers, so this is a wide-spread scan
* This new attack uses root and:
	5 test		Duh
	2 user
	2 oracle	Duh
	2 guest		Duh
	1 PlcmSpIp	Default user/pass on Polycom phones
	1 aaron
	1 admin		Duh
	1 apache	Duh
	1 gary
	1 gt05		Maybe a Panasonic display device
	1 iraf		Maybe
	1 lab
	1 pos
	1 production	Duh
	1 stephanie
	1 stud
	1 svn		Duh
	1 swsoft	Maybe
	1 trash
	1 william
1 zabbix enterprise-class open source distributed monitoring solution for networks and applications

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --