To that point:
Users logging in through sshd:
PlcmSpIp:
172.129.67.195 (AC8143C3.ipt.aol.com): 1 time
That can't be good. I understand that PlcmSplp is a user for the Polycom
provisioning. I have removed ssh access to the box from the world, but how do
I change the default password for that user? This seems like a big security
risk, as every sipxecs install probably has this user with a default password?
~Noah
On Nov 15, 2012, at 12:41 PM, Todd Hodgen <[email protected]> wrote:
> Look at var/spool/mail/root There is a report you can find in there that
> shows system activity. Look for entries below ---------------------
> pam_unix Begin ------------------------ and I think you will find the source
> of your aggravation.
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 6:29 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> I am seeing more spam in my mail queue. I have iptables installed, and here
> are my rules:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:pcsync-https
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:xmpp-client
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:5223
> ACCEPT all -- 192.168.0.0/16 anywhere
> ACCEPT udp -- anywhere anywhere state NEW udp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip-tls
> ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp
> dpts:sip:5080
> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp
> dpts:sip:5080
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> As far as I can tell, no one should be able to use port 25 from the world.
> Also, sendmail is only configured to allow relay from localhost:
>
> [root@sipx1 ~]# cat /etc/mail/access
> # Check the /usr/share/doc/sendmail/README.cf file for a description # of
> the format of this file. (search for access_db in that file) # The
> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
> #
> # by default we allow relaying from localhost...
> Connect:localhost.localdomain RELAY
> Connect:localhost RELAY
> Connect:127.0.0.1 RELAY
>
> Can someone please help me figure out where this spam is coming from?
> Thanks.
>
> ~Noah
>
> On Oct 13, 2012, at 10:17 AM, Noah Mehl <[email protected]> wrote:
>
>> I did not change the configuration of anything related to the PlcmSpIp
> user. It does however make me feel better that it is related to the vsftpd
> service and the polycom phones.
>>
>>> From /etc/passwd:
>>
>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>> /sbin/nologin
>>
>> So, that user cannot ssh to a shell. So I don't think it was that.
>>
>> ~Noah
>>
>> On Oct 12, 2012, at 9:05 AM, Tony Graziano <[email protected]>
> wrote:
>>
>>> ... more -- its a user that does not have login to the OS itself,
>>> just vsftpd, which is restricted to certain commands and must present
>>> a request for its mac address in order to get a configuration file.
>>> It is not logging into linux unless someone changed the rights of the
>>> user.
>>>
>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <[email protected]> wrote:
>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>> <[email protected]> wrote:
>>>>> this is not a valid system user unless you have manually added it
>>>>> to the system. I do think the logs would show more if access was
>>>>> granted. Why are you exposing sshd to the outside world with an acl
>>>>> or by protecting it at your firewall?
>>>>>
>>>>
>>>> PlcmSpIp is the user used by polycom phones for fetching config from
>>>> server
>>>>
>>>> George
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> [email protected]
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: [email protected]
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~
>>>
>>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
>>>
>>> --
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: [email protected]
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> Blog: http://blog.myitdepartment.net
>>> _______________________________________________
>>> sipx-users mailing list
>>> [email protected]
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>> _______________________________________________
>> sipx-users mailing list
>> [email protected]
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> [email protected]
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> [email protected]
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
