Todd, The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.
I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not. ~Noah On Nov 15, 2012, at 7:07 PM, Todd Hodgen <thod...@frontier.com> wrote: > Here is a question I would have as well - 172.129.67.195 seems to be an > address that is local to your network. Who has that IP address, why are > they attempting to breach that server. If they are not a part of your > network, how are they getting to that server from outside your network - > there has to be an opening in a firewall somewhere that is allowing it. > > Remember, this is a phone system, not a firewall, not a router. It's a > phone system with pretty standard authentication requirements, it's up to > the administrator to keep others off of the network. > > -----Original Message----- > From: sipx-users-boun...@list.sipfoundry.org > [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Noah Mehl > Sent: Thursday, November 15, 2012 10:04 AM > To: Discussion list for users of sipXecs software > Subject: Re: [sipx-users] Hacked SipXecs 4.4 > > To that point: > > Users logging in through sshd: > PlcmSpIp: > 172.129.67.195 (AC8143C3.ipt.aol.com): 1 time > > That can't be good. I understand that PlcmSplp is a user for the Polycom > provisioning. I have removed ssh access to the box from the world, but how > do I change the default password for that user? This seems like a big > security risk, as every sipxecs install probably has this user with a > default password? > > ~Noah > > On Nov 15, 2012, at 12:41 PM, Todd Hodgen <thod...@frontier.com> wrote: > >> Look at var/spool/mail/root There is a report you can find in there > that >> shows system activity. Look for entries below --------------------- >> pam_unix Begin ------------------------ and I think you will find the >> source of your aggravation. >> >> -----Original Message----- >> From: sipx-users-boun...@list.sipfoundry.org >> [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Noah Mehl >> Sent: Thursday, November 15, 2012 6:29 AM >> To: Discussion list for users of sipXecs software >> Subject: Re: [sipx-users] Hacked SipXecs 4.4 >> >> I am seeing more spam in my mail queue. I have iptables installed, >> and here are my rules: >> >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> RH-Firewall-1-INPUT all -- anywhere anywhere >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> RH-Firewall-1-INPUT all -- anywhere anywhere >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain RH-Firewall-1-INPUT (2 references) >> target prot opt source destination >> ACCEPT all -- anywhere anywhere >> ACCEPT icmp -- anywhere anywhere icmp any >> ACCEPT esp -- anywhere anywhere >> ACCEPT ah -- anywhere anywhere >> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns >> ACCEPT udp -- anywhere anywhere udp dpt:ipp >> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp >> ACCEPT all -- anywhere anywhere state >> RELATED,ESTABLISHED >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:pcsync-https >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:http >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:xmpp-client >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:5223 >> ACCEPT all -- 192.168.0.0/16 anywhere >> ACCEPT udp -- anywhere anywhere state NEW udp >> dpt:sip >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:sip >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:sip-tls >> ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp >> dpts:sip:5080 >> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp >> dpts:sip:5080 >> REJECT all -- anywhere anywhere reject-with >> icmp-host-prohibited >> >> As far as I can tell, no one should be able to use port 25 from the world. >> Also, sendmail is only configured to allow relay from localhost: >> >> [root@sipx1 ~]# cat /etc/mail/access >> # Check the /usr/share/doc/sendmail/README.cf file for a description # >> of the format of this file. (search for access_db in that file) # The >> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. >> # >> # by default we allow relaying from localhost... >> Connect:localhost.localdomain RELAY >> Connect:localhost RELAY >> Connect:127.0.0.1 RELAY >> >> Can someone please help me figure out where this spam is coming from? >> Thanks. >> >> ~Noah >> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <n...@tritonlimited.com> wrote: >> >>> I did not change the configuration of anything related to the >>> PlcmSpIp >> user. It does however make me feel better that it is related to the >> vsftpd service and the polycom phones. >>> >>>> From /etc/passwd: >>> >>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot: >>> /sbin/nologin >>> >>> So, that user cannot ssh to a shell. So I don't think it was that. >>> >>> ~Noah >>> >>> On Oct 12, 2012, at 9:05 AM, Tony Graziano >>> <tgrazi...@myitdepartment.net> >> wrote: >>> >>>> ... more -- its a user that does not have login to the OS itself, >>>> just vsftpd, which is restricted to certain commands and must >>>> present a request for its mac address in order to get a configuration > file. >>>> It is not logging into linux unless someone changed the rights of >>>> the user. >>>> >>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <geo...@ezuce.com> > wrote: >>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano >>>>> <tgrazi...@myitdepartment.net> wrote: >>>>>> this is not a valid system user unless you have manually added it >>>>>> to the system. I do think the logs would show more if access was >>>>>> granted. Why are you exposing sshd to the outside world with an >>>>>> acl or by protecting it at your firewall? >>>>>> >>>>> >>>>> PlcmSpIp is the user used by polycom phones for fetching config >>>>> from server >>>>> >>>>> George >>>>> _______________________________________________ >>>>> sipx-users mailing list >>>>> sipx-users@list.sipfoundry.org >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>> >>>> >>>> >>>> -- >>>> ~~~~~~~~~~~~~~~~~~ >>>> Tony Graziano, Manager >>>> Telephone: 434.984.8430 >>>> sip: tgrazi...@voice.myitdepartment.net >>>> Fax: 434.465.6833 >>>> ~~~~~~~~~~~~~~~~~~ >>>> Linked-In Profile: >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >>>> Ask about our Internet Fax services! >>>> ~~~~~~~~~~~~~~~~~~ >>>> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about >>>> sipX-CoLab >> 2013! >>>> >>>> -- >>>> LAN/Telephony/Security and Control Systems Helpdesk: >>>> Telephone: 434.984.8426 >>>> sip: helpd...@voice.myitdepartment.net >>>> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net >>>> Blog: http://blog.myitdepartment.net >>>> _______________________________________________ >>>> sipx-users mailing list >>>> sipx-users@list.sipfoundry.org >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >>> >>> Scanned for viruses and content by the Tranet Spam Sentinel service. >>> _______________________________________________ >>> sipx-users mailing list >>> sipx-users@list.sipfoundry.org >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> _______________________________________________ >> sipx-users mailing list >> sipx-users@list.sipfoundry.org >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> _______________________________________________ >> sipx-users mailing list >> sipx-users@list.sipfoundry.org >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/
