{"id":8342,"date":"2025-11-11T04:01:16","date_gmt":"2025-11-11T04:01:16","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/11\/32464\/"},"modified":"2025-11-11T04:01:16","modified_gmt":"2025-11-11T04:01:16","slug":"32464","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/11\/32464\/","title":{"rendered":"It isn&#8217;t always defaults: Scans for 3CX usernames, (Mon, Nov 10th)"},"content":{"rendered":"\n<div>It isn&#8217;t always defaults: Scans for 3CX usernames, (Mon, Nov 10th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Today, I noticed scans using the username &#8220;FTP_3cx&#8221; showing up in our logs. 3CX is a well-known maker of business phone system software [1]. My first guess was that this was a default user for one of their systems. But Google came up empty for this particular string. The 3CX software does not appear to run an FTP server, but it offers a feature to back up configurations to an FTP server [2]. The example user used in the documentation is &#8220;3cxftpuser&#8221;, not &#8220;FTP_3cx&#8221;. Additionally, the documentation notes that the FTP server can run on a different system from the 3CX software. For a backup, it would not make much sense to have it all run on the same system.<\/p>\n<p>The scans we are seeing likely target FTP servers users set up to back up 3CX configurations, and not the 3CX software itself. I am not familiar enough with 3CX to know precisely what the backup contains, but it most likely includes sufficient information to breach the 3CX installation.<\/p>\n<p>The credentials we observe with our Cowrie-based honeypots are collected for telnet and ftp. In particular, on Linux systems, you often use a system user to connect via FTP. Any credentials working via FTP will also work for telnet or SSH. Keep that in mind when configuring a user for FTP access, and of course, FTP should not be your first choice for backing up sensitive data, but we all know it does happen.<\/p>\n<p>Here are the passwords attacks are attempting to use:<\/p>\n<table class=\"datatable\">\n<thead>\n<tr>\n<th>Password<\/th>\n<th>Count<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>3CXBackup<\/td>\n<td>4<\/td>\n<\/tr>\n<tr>\n<td>3CXbackups<\/td>\n<td>4<\/td>\n<\/tr>\n<tr>\n<td>telecom<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>testbackup<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>backup3cx<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>ebsftpuser<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>ftp_cxn<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>ftp_inx<\/td>\n<td>1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Here are some other &#8220;3cx&#8221; related usernames we have seen in the past:<\/p>\n<table class=\"datatable\">\n<thead>\n<tr>\n<th>Username<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>3cx<\/td>\n<\/tr>\n<tr>\n<td>3CXBackup<\/td>\n<\/tr>\n<tr>\n<td>3cxbackups<\/td>\n<\/tr>\n<tr>\n<td>backup3cx<\/td>\n<\/tr>\n<tr>\n<td>ftp3cx<\/td>\n<\/tr>\n<tr>\n<td>FTP_3cx<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>If anyone with more 3CX experience reads this, is there a reason for someone to use these usernames? Or are there any defaults I didn&#8217;t find?<\/p>\n<p>[1]\u00a0https:\/\/www.3cx.com<br \/>\n[2]\u00a0https:\/\/www.3cx.com\/docs\/ftp-server-pbx-backups-linux\/<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32464\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It isn&#8217;t always defaults: Scans for 3CX usernames, (Mon, Nov 10th) Today, I noticed scans using the username &#8220;FTP_3cx&#8221; showing up in our logs. 3CX is a well-known maker of business phone system software [1]. My first guess was that this was a default user for one of their systems. But Google came up empty [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-8342","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8342"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8342"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8342\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}