Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?

Fri, 03 Oct 2014 11:43:31 -0700 

just one more ;-)

the source IP just changed to

142.0.41.179


OrgName:        VolumeDrive
OrgId:          VOLUM-2
Address:        1143 Northern Blvd
City:           Clarks Summit
StateProv:      PA
PostalCode:     18411
Country:        US

and the destination Number to

972595632276  <callto:00972595632276>



Oct  3 20:26:37 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 142.0.41.179 
sipcli/v1.8 rm=INVITE aU=<null> rU=+972595632276  <callto:00972595632276>



Am 03.10.2014 um 20:15 schrieb Rainer Piper:

Hi Chris,

yes ... it is boring ...
I stop posting ...
;-)


Am 03.10.2014 um 20:11 schrieb Chris Bagnall:

On 3/10/14 6:52 pm, Rainer Piper wrote:
the attacking server changed the destination Number at 18:53 CEST and 
he is still blocked ... LOL
972597438354 <callto:00972597438354>
It's pretty much an everyday occurrence for any internet-connected SIP system these days... 


Oct  3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354
Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP server(s) themselves.
For example, the sipcli scans you listed above can be blocked fairly easily with: iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string "sipcli" -j DROP
(obviously there are overheads to string searching UDP/5060 packets that you'll want to consider, and the above won't work if you're using sipcli legitimately anywhere on your network) 

Kind regards,

Chris



--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:[email protected]:5072 (pjsip-test)
XMPP: [email protected]





--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:[email protected]:5072 (pjsip-test)
XMPP: [email protected]

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to