During the last weeks, I have seen an interesting trend in my network of honeypot servers.
The logs shows an increasing numbers of failed SSH (TCP:port 22) logins attempts.
The attacker first tries the following combination of password and user name:
username: PlcmSpIp password: PlcmSpIp
Above combination are the factory default access for many Polycom.com's products
e.g. the SoundPoint SIP (VOIP) phones.
Immediately afterwards the attacker tries the combination of root:TANDBERG
This happens to be the default password/user name on Tandberg/Cisco boardroom
videoconferencing systems. The attackers comes from a few network ranges based
in China ('home based/private users' ISP), but the behavior has been spotted on several honeypots
spread over several geographical locations (both in the US and in Europe).
The best way to avoid this types of compromises are to change the default password(s)
before putting such system on-line.