[asterisk-users] A new hack?

Gordon Henderson gordon+asterisk at drogon.net
Sat Nov 26 06:50:55 CST 2011 

On Sat, 26 Nov 2011, Terry Brummell wrote:

> Install & Configure Fail2Ban then the host will be blocked from
> connecting.  And no, it's not new.

I don't need Fail2Ban, thank you. But your advice might be useful to 
others.

Gordon



>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Gordon
> Henderson
> Sent: Saturday, November 26, 2011 6:55 AM
> To: Asterisk Users Mailing List Discussion
> Subject: [asterisk-users] A new hack?
>
>
> Or just an old one that I've not noticed before...
>
> Seeing lines like this in the logs:
>
>
> [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E2lb2p9BOJ
> [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=XMDRarBM2w
> [Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=AaTE0L0oRj
> [Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=igsN240Wr5
> [Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E8Nkbs0Aye
> [Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=LEvpc7tK6B
> [Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=WrIoZ92YPz
> [Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=kuGTjXr7Pd
> [Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection
> for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=ygQBLSjH1m
>
>
> etc.
>
> The IP address is presumably the IP address of some compromised host (in
>
> Germany in this case, but I've noticed others around the globe so the
> software doing it would appear to be widespread) - it's not a host that
> should be connecting in.
>
> I supect that some SIP PBX somewhare is vulnerable to having an account
> called "VOIP", so this remote attack is trying to compromise that
> account.
>
> At least it's only once every 2 seconds, so in that respect no worse
> than
> the multitude of pop/smtp/imap/ssh type attacks that hackers try...
>
> I've seen it on several servers now, always for account VOIP. I'm
> presuming the "fake rejection" is the side-effect of using
> alwaysauthreject in sip.conf. (if-so, then it's doing the right thing)
>
> But something to look out for just in-case..
>
> Gordon
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list