Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New Scans for Polycom Autoconfiguration Files SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Scans for Polycom Autoconfiguration Files

One of my honeypots detected a nice scan yesterday. A bot was looking for Polycom master provisioning files. Such files are called by default '000000000000.cfg’ and contain interesting information to perform provisioning of VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-based configuration, it will pull the default file.

Here is the list of scanned files:

/cfgvoip/polycom/0000000000000.cfg
/configs/device/polycom/0000000000000.cfg
/device/polycom/0000000000000.cfg
/ftp/polycom/0000000000000.cfg
/bws/provisioner/polycom/0000000000000.cfg
/config/sipphone/polycom/0000000000000.cfg
/polycomftp/0000000000000.cfg
/p/config/polycom/0000000000000.cfg
/vcfg/polycom/0000000000000.cfg
/pbx/polycom/0000000000000.cfg
/home/tftpboot/polycom/0000000000000.cfg
/config/tftp/polycom/0000000000000.cfg
/pps/polycom/0000000000000.cfg
/tftproot/polycom/0000000000000.cfg
/xml/polycom/0000000000000.cfg
/app/polycom/0000000000000.cfg
/ipeconfig/polycom/0000000000000.cfg
/p/v2/config/polycom/0000000000000.cfg
/tftpboot/polycom/0000000000000.cfg
/SIPCfg/0000000000000.cfg
/voip_provisioning/0000000000000.cfg
/tftpboot/backup/0000000000000.cfg
/tftpphone/0000000000000.cfg
/voice/0000000000000.cfg
/files/0000000000000.cfg
/provisioner/0000000000000.cfg
/phoneprov/0000000000000.cfg
/pbxcfg/0000000000000.cfg
/l/0000000000000.cfg
/cfgsip/0000000000000.cfg
/cfgs/0000000000000.cfg
/sipphones/0000000000000.cfg
/cfgvoice/0000000000000.cfg
/sip_phone/0000000000000.cfg
/deskphone/0000000000000.cfg
/PP/0000000000000.cfg
/backup/0000000000000.cfg
/cfgvoip/0000000000000.cfg
/configs/device/0000000000000.cfg
/device/0000000000000.cfg
/ftp/0000000000000.cfg
/bws/provisioner/0000000000000.cfg
/config/sipphone/0000000000000.cfg
/p/config/0000000000000.cfg
/vcfg/0000000000000.cfg
/pbx/0000000000000.cfg
/home/tftpboot/0000000000000.cfg
/config/tftp/0000000000000.cfg
/pps/0000000000000.cfg
/tftproot/0000000000000.cfg
/xml/0000000000000.cfg
/app/0000000000000.cfg
/ipeconfig/0000000000000.cfg
/p/v2/config/0000000000000.cfg
/tftpboot/0000000000000.cfg
/devicecfg/0000000000000.cfg
/configpolycom/0000000000000.cfg
/voip/0000000000000.cfg
/phone/config/0000000000000.cfg
/config/phone/0000000000000.cfg
/voipprov/0000000000000.cfg
/cfgprov/0000000000000.cfg
/sip/config/0000000000000.cfg
/sip/0000000000000.cfg
/voipconfig/0000000000000.cfg
/tftp/0000000000000.cfg
/cfg/config/0000000000000.cfg
/sipphone/0000000000000.cfg
/devicecfg/polycom/0000000000000.cfg
/polycom/config/0000000000000.cfg
/sip/config/polycom/0000000000000.cfg
/polycom/phones/0000000000000.cfg
/sip/polycom/0000000000000.cfg
/polycom/phone/0000000000000.cfg
/sipphone/polycom/0000000000000.cfg
/config/phone/polycom/0000000000000.cfg
/cfg/config/polycom/0000000000000.cfg
/tftp/polycom/0000000000000.cfg
/voip/polycom/0000000000000.cfg
/phone/config/polycom/0000000000000.cfg
/voipconfig/polycom/0000000000000.cfg
/home/polycom/0000000000000.cfg
/cfgprov/polycom/0000000000000.cfg
/voipprov/polycom/0000000000000.cfg
/polycom/polycom/0000000000000.cfg
/autoprpvisioning/polycom/0000000000000.cfg
/autoprpvision/polycom/0000000000000.cfg
/autoprpv/polycom/0000000000000.cfg
/autoprovisioning/polycom/0000000000000.cfg
/autoprovision/polycom/0000000000000.cfg
/autoprov/polycom/0000000000000.cfg
/phones/polycom/0000000000000.cfg
/phone/polycom/0000000000000.cfg
/configs/polycom/0000000000000.cfg
/config/polycom/0000000000000.cfg
/conf/polycom/0000000000000.cfg
/cfg/polycom/0000000000000.cfg
/provisioning/polycom/0000000000000.cfg
/provision/polycom/0000000000000.cfg
/prov/polycom/0000000000000.cfg
/pv/polycom/0000000000000.cfg
/p/polycom/0000000000000.cfg
/polycom/0000000000000.cfg
/autoprpvisioning/0000000000000.cfg
/autoprpvision/0000000000000.cfg
/autoprpv/0000000000000.cfg
/autoprovisioning/0000000000000.cfg
/autoprovision/0000000000000.cfg
/autoprov/0000000000000.cfg
/phones/0000000000000.cfg
/phone/0000000000000.cfg
/configs/0000000000000.cfg
/config/0000000000000.cfg
/conf/0000000000000.cfg
/cfg/0000000000000.cfg
/provisioning/0000000000000.cfg
/provision/0000000000000.cfg
/prov/0000000000000.cfg
/pv/0000000000000.cfg
/p/0000000000000.cfg
/0000000000000.cfg

The IP address was %%ip:185.53.88.96% and has a bad score in our DShield database.

Such configuration files contain very sensitive information about internal networks and should never be publicly available. If you detected the same kind of scan recently, please share!

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS London September 2020

Xme

537 Posts
ISC Handler
Sep 27th 2019
We receive the same scan in the same ip
Anonymous

Sign Up for Free or Log In to start participating in the conversation!