We set up our servers to allowguest=yes and autocreatepeer=yes and use a global context setting to point any of those calls to an IVR jail. Attempts stop reasonably quickly.
An empty "room" with an unlocked "door" is far less interesting than a room with the door locked. From: [email protected] [mailto:[email protected]] On Behalf Of Rainer Piper Sent: Friday, October 03, 2014 1:53 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ? the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354<callto:00972597438354> Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=00972597438354<callto:00972597438354> Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354 Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354 Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=*000972597438354 Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354 Am 03.10.2014 um 14:52 schrieb Rainer Piper: Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen: On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote: Is the destination Number like Country Code +972? +972 59 xxxxxx(x) mobile - Jawall [moving to 7-digit subscriber numbers] source - http://www.wtng.info/wtng-972-il.html That page is slightly dated. +972 59 XXXXXXX are all the numbers in the Palestinian Authority (there are several providers besides Jawall). My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxxxxxxxxxx As a resident of +972 (+972-4), I'll just note that those hack attempts are typically related to PA numbers (+972-59) as rates there are higher. Hi Tzafrir, ok, the page www.wtng.info<http://www.wtng.info> is not really up to date. here some logs to see the variations of the attempt to dial over my proxy Oct 3 11:23:06 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=00972592910519<callto:00972592910519> Oct 3 11:42:52 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=972592910519 Oct 3 11:53:15 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=700972592910519 Oct 3 12:06:32 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=200972592910519 Oct 3 12:20:04 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=#00972592910519<callto:00972592910519> Oct 3 12:32:53 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=*000972592910519 Oct 3 12:45:35 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=*972592910519 Oct 3 12:57:42 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=9999900972592910519 Oct 3 13:09:37 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=7700972592910519 Oct 3 13:21:24 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=66600972592910519 Oct 3 13:33:11 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=555500972592910519 and the source IP 69.30.254.234 is coming from OrgName: WholeSale Internet, Inc. OrgId: WHOLE-125 Address: 324 E. 11th St. Address: Suite 1000 City: Kansas City StateProv: MO PostalCode: 64106 Country: US very strange ;-) -- Rainer Piper Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161<callto:004922897167161> P2P: sip:[email protected]:5072 (pjsip-test) XMPP: [email protected]<mailto:[email protected]> -- Rainer Piper Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:[email protected]:5072 (pjsip-test) XMPP: [email protected]<mailto:[email protected]>
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
