[asterisk-users] PBX hacked: why hundred of calls to the same number ?

Rainer Piper rainer.piper at soho-piper.de
Fri Oct 3 13:42:57 CDT 2014 

just one more ;-)

the source IP just changed to

142.0.41.179


OrgName:        VolumeDrive
OrgId:          VOLUM-2
Address:        1143 Northern Blvd
City:           Clarks Summit
StateProv:      PA
PostalCode:     18411
Country:        US

and the destination Number to

972595632276  <callto:00972595632276>



Oct  3 20:26:37 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 142.0.41.179 sipcli/v1.8 rm=INVITE aU=<null> rU=+972595632276  <callto:00972595632276>



Am 03.10.2014 um 20:15 schrieb Rainer Piper:
> Hi Chris,
>
> yes ... it is boring ...
> I stop posting ...
> ;-)
>
>
> Am 03.10.2014 um 20:11 schrieb Chris Bagnall:
>> On 3/10/14 6:52 pm, Rainer Piper wrote:
>>> the attacking server changed the destination Number  at 18:53  CEST  
>>> and
>>> he is still blocked ... LOL
>>> 972597438354 <callto:00972597438354>
>>
>> It's pretty much an everyday occurrence for any internet-connected 
>> SIP system these days...
>>
>>> Oct  3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
>>> IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354
>>
>> Many of these attacks come from fairly easily recognised user-agent 
>> strings, so if you fancy doing a bit of packet inspection with your 
>> firewall, you can block many of these before they get as far as your 
>> SIP server(s) themselves.
>>
>> For example, the sipcli scans you listed above can be blocked fairly 
>> easily with:
>> iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string 
>> "sipcli" -j DROP
>>
>> (obviously there are overheads to string searching UDP/5060 packets 
>> that you'll want to consider, and the above won't work if you're 
>> using sipcli legitimately anywhere on your network)
>>
>> Kind regards,
>>
>> Chris
>
>
> -- 
> *Rainer Piper*
> Integration engineer
> Koeslinstr. 56
> 53123 BONN
> GERMANY
> Phone: +49 228 97167161
> P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
> XMPP: rainer at xmpp.soho-piper.de
>
>


-- 
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
XMPP: rainer at xmpp.soho-piper.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141003/405155b6/attachment.html>

More information about the asterisk-users mailing list