[asterisk-users] Being attacked by an Amazon EC2 ...

Zeeshan Zakaria zishanov at gmail.com
Sun Apr 11 09:06:11 CDT 2010 

I don't k know if there is a tool to sniff passwords, but did you check in
/va/log/asterisk/full? Maybe wireshark can be used for this purpose, but
it'll be not that straight forward.

Interestingly I checked log of my server and found out that I was also under
attack yesterday by an Amazon cloud server, IP 184.73.53.22. Thanks to
fail2ban the IP was blocked. But I guess I am now used to these attacks as
it is a routine now and so far fail2ban is working fine for me. But my
server (and now yours too) is in some hackers list of "asterisk favourites"
and will keep getting under attack.

I'll now send an email to Amazon.

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-04-11 9:42 AM, "Norbert Zawodsky" <norbert at zawodsky.at> wrote:

Hello to everyone!

Same here (Vienna, Austria).

I had this attack yesterday 6am (local time) from IP 216.105.128.63

whois 216.105.128.63 returns:

OrgName:    Globalvision
OrgID:      ACSIN-3
Address:    78 Global Drive
Address:    Suite 101
City:       Greenville
StateProv:  SC
PostalCode: 29607
Country:    US

NetRange:   216.105.128.0 - 216.105.159.255
CIDR:       216.105.128.0/19
NetName:    ACSINC-BLK-1
NetHandle:  NET-216-105-128-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.ACSINC.NET
NameServer: NS2.ACSINC.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1998-10-19
Updated:    2004-12-08

OrgTechHandle: HOSTM560-ARIN
OrgTechName:   Hostmaster
OrgTechPhone:  +1-864-467-1333
OrgTechEmail:  hostmaster at acsinc.net

In my case, the attack started at 05:57:45.

Asterisk: 1.2.12.1

They sent 14.288 Register requests trying some "common" users like
"test,admin,sip,user,123,1234," and so on.
Then they started just counting up from user "0"
(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,.....) and this way, they found
valid users until 05:59:09 which is 1 minute and 24 seconds or 170
Registers/second

After that, they started to send 66.267 registers until 06:24:08 only
with the "found" users with random password combinations. 66.267 reg /
1.499 seconds = 44 regs/second

A classic "brute force attack". Interesting that the password attacks
came slower than the userid attacks...

At 6:24:23 asterisk obviously crashed because there wered no more log
entries. I noticed the incident because my office phone number was not
reachable when I tried in the morning.

My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress
range. I wonder if everything would become a little bit more secure if
define them with "host=192.168.X.X" in sip.conf instead of
"host=dynamic". I tried it as a quick shot but it didn't work as they
still try to register. Does someone know if this was possible and
where/how to configure it on the snom side?

greetings,
Norbert


-- 
_____________________________________________________________________
-- Bandwidth and Colocati...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100411/d08485f4/attachment.htm

More information about the asterisk-users mailing list