Here is a question I would have as well - 172.129.67.195 seems to be an address that is local to your network. Who has that IP address, why are they attempting to breach that server. If they are not a part of your network, how are they getting to that server from outside your network - there has to be an opening in a firewall somewhere that is allowing it.
Remember, this is a phone system, not a firewall, not a router. It's a phone system with pretty standard authentication requirements, it's up to the administrator to keep others off of the network. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Noah Mehl Sent: Thursday, November 15, 2012 10:04 AM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Hacked SipXecs 4.4 To that point: Users logging in through sshd: PlcmSpIp: 172.129.67.195 (AC8143C3.ipt.aol.com): 1 time That can't be good. I understand that PlcmSplp is a user for the Polycom provisioning. I have removed ssh access to the box from the world, but how do I change the default password for that user? This seems like a big security risk, as every sipxecs install probably has this user with a default password? ~Noah On Nov 15, 2012, at 12:41 PM, Todd Hodgen <[email protected]> wrote: > Look at var/spool/mail/root There is a report you can find in there that > shows system activity. Look for entries below --------------------- > pam_unix Begin ------------------------ and I think you will find the > source of your aggravation. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Noah Mehl > Sent: Thursday, November 15, 2012 6:29 AM > To: Discussion list for users of sipXecs software > Subject: Re: [sipx-users] Hacked SipXecs 4.4 > > I am seeing more spam in my mail queue. I have iptables installed, > and here are my rules: > > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere icmp any > ACCEPT esp -- anywhere anywhere > ACCEPT ah -- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns > ACCEPT udp -- anywhere anywhere udp dpt:ipp > ACCEPT tcp -- anywhere anywhere tcp dpt:ipp > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:pcsync-https > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:http > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:xmpp-client > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:5223 > ACCEPT all -- 192.168.0.0/16 anywhere > ACCEPT udp -- anywhere anywhere state NEW udp > dpt:sip > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:sip > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:sip-tls > ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp > dpts:sip:5080 > ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp > dpts:sip:5080 > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > As far as I can tell, no one should be able to use port 25 from the world. > Also, sendmail is only configured to allow relay from localhost: > > [root@sipx1 ~]# cat /etc/mail/access > # Check the /usr/share/doc/sendmail/README.cf file for a description # > of the format of this file. (search for access_db in that file) # The > /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. > # > # by default we allow relaying from localhost... > Connect:localhost.localdomain RELAY > Connect:localhost RELAY > Connect:127.0.0.1 RELAY > > Can someone please help me figure out where this spam is coming from? > Thanks. > > ~Noah > > On Oct 13, 2012, at 10:17 AM, Noah Mehl <[email protected]> wrote: > >> I did not change the configuration of anything related to the >> PlcmSpIp > user. It does however make me feel better that it is related to the > vsftpd service and the polycom phones. >> >>> From /etc/passwd: >> >> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot: >> /sbin/nologin >> >> So, that user cannot ssh to a shell. So I don't think it was that. >> >> ~Noah >> >> On Oct 12, 2012, at 9:05 AM, Tony Graziano >> <[email protected]> > wrote: >> >>> ... more -- its a user that does not have login to the OS itself, >>> just vsftpd, which is restricted to certain commands and must >>> present a request for its mac address in order to get a configuration file. >>> It is not logging into linux unless someone changed the rights of >>> the user. >>> >>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <[email protected]> wrote: >>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano >>>> <[email protected]> wrote: >>>>> this is not a valid system user unless you have manually added it >>>>> to the system. I do think the logs would show more if access was >>>>> granted. Why are you exposing sshd to the outside world with an >>>>> acl or by protecting it at your firewall? >>>>> >>>> >>>> PlcmSpIp is the user used by polycom phones for fetching config >>>> from server >>>> >>>> George >>>> _______________________________________________ >>>> sipx-users mailing list >>>> [email protected] >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >>> >>> >>> -- >>> ~~~~~~~~~~~~~~~~~~ >>> Tony Graziano, Manager >>> Telephone: 434.984.8430 >>> sip: [email protected] >>> Fax: 434.465.6833 >>> ~~~~~~~~~~~~~~~~~~ >>> Linked-In Profile: >>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >>> Ask about our Internet Fax services! >>> ~~~~~~~~~~~~~~~~~~ >>> >>> Using or developing for sipXecs from SIPFoundry? Ask me about >>> sipX-CoLab > 2013! >>> >>> -- >>> LAN/Telephony/Security and Control Systems Helpdesk: >>> Telephone: 434.984.8426 >>> sip: [email protected] >>> >>> Helpdesk Customers: http://myhelp.myitdepartment.net >>> Blog: http://blog.myitdepartment.net >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> Scanned for viruses and content by the Tranet Spam Sentinel service. >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
