[asterisk-users] Why are the hackers scanning for these?
Barry Miller
asterisk-users at notanet.net
Sun Nov 7 09:27:52 CST 2010
On Sun, Nov 07, 2010 at 07:11:43AM -0700, Steve Murphy wrote:
> Hey, I'm going thru logs, and I see some very common and interesting things
> that the hackers are looking for.
>
> In a whole bunch of scans, I've noticed that the first guess or two for sip
> accounts
> is usually a 10-digit number. I'm asking myself, why these numbers? Are they
> looking
> for a voip trunk? Or is it just like a serial number for the scan? What?
It's SIPVicious. Before it starts its sequential scan, it makes sure
that it can tell the difference between a valid peer and an unknown one.
It tries two random peers, expecting a 404 response to at least one (most
likely both) of them. Then, if it later gets a 401 during the sequential
scan, it knows it's found a good peer name that can be targeted for
password guessing.
On the other hand, if both random guesses elicit 401 responses to
REGISTERs, it knows that it can't winnow out the real peers, and (normally)
just gives up right there. That's why 'alwaysauthreject' is so effective
at stopping the attacks (as opposed to blocking them). But if the attacker
uses the '--force' option, which causes the scan to press on regardless, or
something other than SIPVicious, only something like fail2ban will help,
but that won't save your bandwidth like 'alwaysauthreject' will.
--
Barry
More information about the asterisk-users
mailing list