[asterisk-users] Hack attempt sequential config file read looking for valid files.

Derek Bolichowski derek at empire-team.com
Fri Apr 21 11:36:28 CDT 2017

From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Jerry Geis
Sent: Friday, April 21, 2017 12:28 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com>
Subject: [asterisk-users] Hack attempt sequential config file read looking for valid files.

I "justed" happened to look at /var/log/messages...

I saw:
Apr 21 12:18:40 in.tftpd[22719]: RRQ from filename 0004f2034f6b.cfg
Apr 21 12:18:40 in.tftpd[22719]: Client File not found 0004f2034f6b.cfg
Apr 21 12:18:40 in.tftpd[22720]: RRQ from filename 0004f2034f6c.cfg
Apr 21 12:18:40 in.tftpd[22720]: Client File not found 0004f2034f6c.cfg
Apr 21 12:18:40 in.tftpd[22721]: RRQ from filename 0004f2034f6d.cfg
Apr 21 12:18:40 in.tftpd[22721]: Client File not found 0004f2034f6d.cfg
Apr 21 12:18:40 in.tftpd[22722]: RRQ from filename 0004f2034f6e.cfg

so basically an sequential read of polycom MAC address config files.
Some is trying to read to determine if I have any polycom files just sequential read after read.
And if so - it would get any extension and password at that time.
Luckily I have none.

However - how does one block attempts like this ?



Can you change to FTP Provisioning, or HTTPS etc? Atleast with FTP you can set a user/pass to your directory with mac.cfg to prevent open access.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/d7affbdb/attachment.html>

More information about the asterisk-users mailing list