[asterisk-users] PBX hacked: why hundred of calls to the same number ?
Rainer Piper
rainer.piper at soho-piper.de
Fri Oct 3 13:42:57 CDT 2014
just one more ;-)
the source IP just changed to
142.0.41.179
OrgName: VolumeDrive
OrgId: VOLUM-2
Address: 1143 Northern Blvd
City: Clarks Summit
StateProv: PA
PostalCode: 18411
Country: US
and the destination Number to
972595632276 <callto:00972595632276>
Oct 3 20:26:37 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 142.0.41.179 sipcli/v1.8 rm=INVITE aU=<null> rU=+972595632276 <callto:00972595632276>
Am 03.10.2014 um 20:15 schrieb Rainer Piper:
> Hi Chris,
>
> yes ... it is boring ...
> I stop posting ...
> ;-)
>
>
> Am 03.10.2014 um 20:11 schrieb Chris Bagnall:
>> On 3/10/14 6:52 pm, Rainer Piper wrote:
>>> the attacking server changed the destination Number at 18:53 CEST
>>> and
>>> he is still blocked ... LOL
>>> 972597438354 <callto:00972597438354>
>>
>> It's pretty much an everyday occurrence for any internet-connected
>> SIP system these days...
>>
>>> Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
>>> IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354
>>
>> Many of these attacks come from fairly easily recognised user-agent
>> strings, so if you fancy doing a bit of packet inspection with your
>> firewall, you can block many of these before they get as far as your
>> SIP server(s) themselves.
>>
>> For example, the sipcli scans you listed above can be blocked fairly
>> easily with:
>> iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string
>> "sipcli" -j DROP
>>
>> (obviously there are overheads to string searching UDP/5060 packets
>> that you'll want to consider, and the above won't work if you're
>> using sipcli legitimately anywhere on your network)
>>
>> Kind regards,
>>
>> Chris
>
>
> --
> *Rainer Piper*
> Integration engineer
> Koeslinstr. 56
> 53123 BONN
> GERMANY
> Phone: +49 228 97167161
> P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
> XMPP: rainer at xmpp.soho-piper.de
>
>
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
XMPP: rainer at xmpp.soho-piper.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141003/405155b6/attachment.html>
More information about the asterisk-users
mailing list