[asterisk-users] A new hack?

Gordon Henderson gordon+asterisk at drogon.net
Sat Nov 26 05:55:22 CST 2011 

Or just an old one that I've not noticed before...

Seeing lines like this in the logs:


[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E2lb2p9BOJ
[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=XMDRarBM2w
[Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=AaTE0L0oRj
[Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=igsN240Wr5
[Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E8Nkbs0Aye
[Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=LEvpc7tK6B
[Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=WrIoZ92YPz
[Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=kuGTjXr7Pd
[Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=ygQBLSjH1m


etc.

The IP address is presumably the IP address of some compromised host (in 
Germany in this case, but I've noticed others around the globe so the 
software doing it would appear to be widespread) - it's not a host that 
should be connecting in.

I supect that some SIP PBX somewhare is vulnerable to having an account 
called "VOIP", so this remote attack is trying to compromise that account.

At least it's only once every 2 seconds, so in that respect no worse than 
the multitude of pop/smtp/imap/ssh type attacks that hackers try...

I've seen it on several servers now, always for account VOIP. I'm 
presuming the "fake rejection" is the side-effect of using 
alwaysauthreject in sip.conf. (if-so, then it's doing the right thing)

But something to look out for just in-case..

Gordon

More information about the asterisk-users mailing list