Hello and welcome to the Tuesday, November 11th,

2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu master's degree program in

information security engineering. Today's diary is about an odd username that I spotted in our

Honeypod logs. The username is FTP underscore 3CX. Now, the 3CX part likely refers to the maker of business phone systems 3CX.

A couple of years ago, they sort of went through the news for being the victim of a big supply chain attack.

But what we are seeing here is likely unrelated.

I did, of course, do a quick search trying to figure out, is this some kind of

default username, maybe going with a default password? Doesn't look like it. And actually,

3CX, their product does not really come with an FTP server. And our Honeypot actually is looking

for Telnet and ZH credentials.

So we're actually not emulating FTP.

I believe what's happening here is that if you're using these business phone systems from 3CX,

one of the options you have to create backups is FTP.

And they're talking the documentation about setting up an FTP server that will receive these backups. So again, the product itself doesn't come with an FTP server. It's something

that you're setting up separately. And they're offering a couple popular sort of FTP server options here and walking you through how to set them up correctly.

But there are a couple issues here.

First of all, that the username, well, people are likely going to use a username related to the product.

There is a comment here to the diary by Stephen who says, well, it's just human nature to use names like

Stephen is using, for example, VIM,

like VIM user, VIM backup and such.

...