For some time, I have been seeing attempts to log in as the user "PlcmSpIp". This username is not something I immediately recognize, and I have been filing the attacks as targeting some unknown third party software product. Today, out of idle curiosity, I made the effort to actually google it.
It turns out that these attacks are related to the Soundpoint range of IP telephones from Polycom.
When a Soundpoint phone boots, it tries to download a settings file from a server. Exactly how this download is performed can be configured using very flexible mechanisms (see the section "Supported provisioning protocols" in the Soundpoint administration manual). The local administrator can rather easily create a setup where the phones download their settings in a secure manner.
The default configuration, however, is less than secure. Because by default, the phone expects the DHCP server to send a server name as DHCP option 66. The phone proceeds to log in to this server, using clear-text FTP, as the user "PlcmSpIp" with password "PlcmSpIp", and then retrieve its settings file.
Convenient? Yes. Secure? Well, perhaps not so much.
So, we have a situation where the local administrator can choose between a convenient default configuration, or spending some time and effort to create a secure configuration of his own.
It should not come as a great surprise that the Internet is full of configuration guides that instruct people that want to support Polycom phones to simply create a user account called "PlcmSpIp" with the password "PlcmSpIp".
My favourite among these guides comes from the Canadian company Objectworld, who in the configuration manual for their product "UC Server 4.2" state:
However, Polycom's PlcmSpIp password does not meet the default password complexity policy for domain controllers [...]No shit? So, what do they propose to do about it?
You know, sometimes I get this urge to just hurt somebody.
To create the domain account user "PlcmSpIp" the default password policy must be temporarily modified.
So, we get all these servers with "PlcmSpIp" users with password "PlcmSpIp". Of course, many of these machines will be reachable from the Internet, and many of them will be running ssh servers. No wonder I've been seeing those attacks; this is a minor goldmine for the bad guys.
Thank you, Polycom. Thank you, Objectworld. Thanks a lot.