My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

New Scans for Polycom Autoconfiguration Files

Published: 2019-09-27. Last Updated: 2019-09-27 07:13:05 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

One of my honeypots detected a nice scan yesterday. A bot was looking for Polycom master provisioning files. Such files are called by default '000000000000.cfg’ and contain interesting information to perform provisioning of VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-based configuration, it will pull the default file.

Here is the list of scanned files:

/cfgvoip/polycom/0000000000000.cfg
/configs/device/polycom/0000000000000.cfg
/device/polycom/0000000000000.cfg
/ftp/polycom/0000000000000.cfg
/bws/provisioner/polycom/0000000000000.cfg
/config/sipphone/polycom/0000000000000.cfg
/polycomftp/0000000000000.cfg
/p/config/polycom/0000000000000.cfg
/vcfg/polycom/0000000000000.cfg
/pbx/polycom/0000000000000.cfg
/home/tftpboot/polycom/0000000000000.cfg
/config/tftp/polycom/0000000000000.cfg
/pps/polycom/0000000000000.cfg
/tftproot/polycom/0000000000000.cfg
/xml/polycom/0000000000000.cfg
/app/polycom/0000000000000.cfg
/ipeconfig/polycom/0000000000000.cfg
/p/v2/config/polycom/0000000000000.cfg
/tftpboot/polycom/0000000000000.cfg
/SIPCfg/0000000000000.cfg
/voip_provisioning/0000000000000.cfg
/tftpboot/backup/0000000000000.cfg
/tftpphone/0000000000000.cfg
/voice/0000000000000.cfg
/files/0000000000000.cfg
/provisioner/0000000000000.cfg
/phoneprov/0000000000000.cfg
/pbxcfg/0000000000000.cfg
/l/0000000000000.cfg
/cfgsip/0000000000000.cfg
/cfgs/0000000000000.cfg
/sipphones/0000000000000.cfg
/cfgvoice/0000000000000.cfg
/sip_phone/0000000000000.cfg
/deskphone/0000000000000.cfg
/PP/0000000000000.cfg
/backup/0000000000000.cfg
/cfgvoip/0000000000000.cfg
/configs/device/0000000000000.cfg
/device/0000000000000.cfg
/ftp/0000000000000.cfg
/bws/provisioner/0000000000000.cfg
/config/sipphone/0000000000000.cfg
/p/config/0000000000000.cfg
/vcfg/0000000000000.cfg
/pbx/0000000000000.cfg
/home/tftpboot/0000000000000.cfg
/config/tftp/0000000000000.cfg
/pps/0000000000000.cfg
/tftproot/0000000000000.cfg
/xml/0000000000000.cfg
/app/0000000000000.cfg
/ipeconfig/0000000000000.cfg
/p/v2/config/0000000000000.cfg
/tftpboot/0000000000000.cfg
/devicecfg/0000000000000.cfg
/configpolycom/0000000000000.cfg
/voip/0000000000000.cfg
/phone/config/0000000000000.cfg
/config/phone/0000000000000.cfg
/voipprov/0000000000000.cfg
/cfgprov/0000000000000.cfg
/sip/config/0000000000000.cfg
/sip/0000000000000.cfg
/voipconfig/0000000000000.cfg
/tftp/0000000000000.cfg
/cfg/config/0000000000000.cfg
/sipphone/0000000000000.cfg
/devicecfg/polycom/0000000000000.cfg
/polycom/config/0000000000000.cfg
/sip/config/polycom/0000000000000.cfg
/polycom/phones/0000000000000.cfg
/sip/polycom/0000000000000.cfg
/polycom/phone/0000000000000.cfg
/sipphone/polycom/0000000000000.cfg
/config/phone/polycom/0000000000000.cfg
/cfg/config/polycom/0000000000000.cfg
/tftp/polycom/0000000000000.cfg
/voip/polycom/0000000000000.cfg
/phone/config/polycom/0000000000000.cfg
/voipconfig/polycom/0000000000000.cfg
/home/polycom/0000000000000.cfg
/cfgprov/polycom/0000000000000.cfg
/voipprov/polycom/0000000000000.cfg
/polycom/polycom/0000000000000.cfg
/autoprpvisioning/polycom/0000000000000.cfg
/autoprpvision/polycom/0000000000000.cfg
/autoprpv/polycom/0000000000000.cfg
/autoprovisioning/polycom/0000000000000.cfg
/autoprovision/polycom/0000000000000.cfg
/autoprov/polycom/0000000000000.cfg
/phones/polycom/0000000000000.cfg
/phone/polycom/0000000000000.cfg
/configs/polycom/0000000000000.cfg
/config/polycom/0000000000000.cfg
/conf/polycom/0000000000000.cfg
/cfg/polycom/0000000000000.cfg
/provisioning/polycom/0000000000000.cfg
/provision/polycom/0000000000000.cfg
/prov/polycom/0000000000000.cfg
/pv/polycom/0000000000000.cfg
/p/polycom/0000000000000.cfg
/polycom/0000000000000.cfg
/autoprpvisioning/0000000000000.cfg
/autoprpvision/0000000000000.cfg
/autoprpv/0000000000000.cfg
/autoprovisioning/0000000000000.cfg
/autoprovision/0000000000000.cfg
/autoprov/0000000000000.cfg
/phones/0000000000000.cfg
/phone/0000000000000.cfg
/configs/0000000000000.cfg
/config/0000000000000.cfg
/conf/0000000000000.cfg
/cfg/0000000000000.cfg
/provisioning/0000000000000.cfg
/provision/0000000000000.cfg
/prov/0000000000000.cfg
/pv/0000000000000.cfg
/p/0000000000000.cfg
/0000000000000.cfg

The IP address was %%ip:185.53.88.96% and has a bad score in our DShield database.

Such configuration files contain very sensitive information about internal networks and should never be publicly available. If you detected the same kind of scan recently, please share!

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

We receive the same scan in the same ip

Diary Archives