New Scans for Polycom Autoconfiguration Files
One of my honeypots detected a nice scan yesterday. A bot was looking for Polycom master provisioning files. Such files are called by default '000000000000.cfg’ and contain interesting information to perform provisioning of VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-based configuration, it will pull the default file.
Here is the list of scanned files:
/cfgvoip/polycom/0000000000000.cfg /configs/device/polycom/0000000000000.cfg /device/polycom/0000000000000.cfg /ftp/polycom/0000000000000.cfg /bws/provisioner/polycom/0000000000000.cfg /config/sipphone/polycom/0000000000000.cfg /polycomftp/0000000000000.cfg /p/config/polycom/0000000000000.cfg /vcfg/polycom/0000000000000.cfg /pbx/polycom/0000000000000.cfg /home/tftpboot/polycom/0000000000000.cfg /config/tftp/polycom/0000000000000.cfg /pps/polycom/0000000000000.cfg /tftproot/polycom/0000000000000.cfg /xml/polycom/0000000000000.cfg /app/polycom/0000000000000.cfg /ipeconfig/polycom/0000000000000.cfg /p/v2/config/polycom/0000000000000.cfg /tftpboot/polycom/0000000000000.cfg /SIPCfg/0000000000000.cfg /voip_provisioning/0000000000000.cfg /tftpboot/backup/0000000000000.cfg /tftpphone/0000000000000.cfg /voice/0000000000000.cfg /files/0000000000000.cfg /provisioner/0000000000000.cfg /phoneprov/0000000000000.cfg /pbxcfg/0000000000000.cfg /l/0000000000000.cfg /cfgsip/0000000000000.cfg /cfgs/0000000000000.cfg /sipphones/0000000000000.cfg /cfgvoice/0000000000000.cfg /sip_phone/0000000000000.cfg /deskphone/0000000000000.cfg /PP/0000000000000.cfg /backup/0000000000000.cfg /cfgvoip/0000000000000.cfg /configs/device/0000000000000.cfg /device/0000000000000.cfg /ftp/0000000000000.cfg /bws/provisioner/0000000000000.cfg /config/sipphone/0000000000000.cfg /p/config/0000000000000.cfg /vcfg/0000000000000.cfg /pbx/0000000000000.cfg /home/tftpboot/0000000000000.cfg /config/tftp/0000000000000.cfg /pps/0000000000000.cfg /tftproot/0000000000000.cfg /xml/0000000000000.cfg /app/0000000000000.cfg /ipeconfig/0000000000000.cfg /p/v2/config/0000000000000.cfg /tftpboot/0000000000000.cfg /devicecfg/0000000000000.cfg /configpolycom/0000000000000.cfg /voip/0000000000000.cfg /phone/config/0000000000000.cfg /config/phone/0000000000000.cfg /voipprov/0000000000000.cfg /cfgprov/0000000000000.cfg /sip/config/0000000000000.cfg /sip/0000000000000.cfg /voipconfig/0000000000000.cfg /tftp/0000000000000.cfg /cfg/config/0000000000000.cfg /sipphone/0000000000000.cfg /devicecfg/polycom/0000000000000.cfg /polycom/config/0000000000000.cfg /sip/config/polycom/0000000000000.cfg /polycom/phones/0000000000000.cfg /sip/polycom/0000000000000.cfg /polycom/phone/0000000000000.cfg /sipphone/polycom/0000000000000.cfg /config/phone/polycom/0000000000000.cfg /cfg/config/polycom/0000000000000.cfg /tftp/polycom/0000000000000.cfg /voip/polycom/0000000000000.cfg /phone/config/polycom/0000000000000.cfg /voipconfig/polycom/0000000000000.cfg /home/polycom/0000000000000.cfg /cfgprov/polycom/0000000000000.cfg /voipprov/polycom/0000000000000.cfg /polycom/polycom/0000000000000.cfg /autoprpvisioning/polycom/0000000000000.cfg /autoprpvision/polycom/0000000000000.cfg /autoprpv/polycom/0000000000000.cfg /autoprovisioning/polycom/0000000000000.cfg /autoprovision/polycom/0000000000000.cfg /autoprov/polycom/0000000000000.cfg /phones/polycom/0000000000000.cfg /phone/polycom/0000000000000.cfg /configs/polycom/0000000000000.cfg /config/polycom/0000000000000.cfg /conf/polycom/0000000000000.cfg /cfg/polycom/0000000000000.cfg /provisioning/polycom/0000000000000.cfg /provision/polycom/0000000000000.cfg /prov/polycom/0000000000000.cfg /pv/polycom/0000000000000.cfg /p/polycom/0000000000000.cfg /polycom/0000000000000.cfg /autoprpvisioning/0000000000000.cfg /autoprpvision/0000000000000.cfg /autoprpv/0000000000000.cfg /autoprovisioning/0000000000000.cfg /autoprovision/0000000000000.cfg /autoprov/0000000000000.cfg /phones/0000000000000.cfg /phone/0000000000000.cfg /configs/0000000000000.cfg /config/0000000000000.cfg /conf/0000000000000.cfg /cfg/0000000000000.cfg /provisioning/0000000000000.cfg /provision/0000000000000.cfg /prov/0000000000000.cfg /pv/0000000000000.cfg /p/0000000000000.cfg /0000000000000.cfg
The IP address was %%ip:185.53.88.96% and has a bad score in our DShield database.
Such configuration files contain very sensitive information about internal networks and should never be publicly available. If you detected the same kind of scan recently, please share!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments
Anonymous
Sep 27th 2019
5 years ago