ALERT please report hacks

phonebuff · Nov 22, 2010

Attach from Rackspace host ?

Been seeing a number of attacks from the Rack Space IP range. An attempt ot contact their abuse group has been met by silence. Anyone having any luck getting action from them ?

Rackspace Hosting RACKS-8-NET-4 (NET-184-106-0-0-1) 184.106.0.0 - 184.106.255.255
Slicehost RACKS-8-1283290806351644 (NET-184-106-144-0-1) 184.106.144.0 - 184.106.159.255

Code:

[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"test"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"sip"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"user"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"admin"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"pass"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"password"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"testing"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"guest"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"voip"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found
[2010-11-22 12:27:04] NOTICE[2046] chan_sip.c: Registration from '"account"<sip:[email protected]>' failed for '184.106.155.188' - No matching peer found

wardmundy · Nov 22, 2010

I've forwarded your note up the chain. We'll see what happens.

The Deacon · Nov 22, 2010

Here's some more hack attempt goodness:

Code:

[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"2523416501"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"1409753650"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"noauth"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"user1"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"pc1"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"manager"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"administrator"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"dave"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"gary"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"john"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"pual"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"albert"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"sasha"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"phone"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"100"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"101"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"102"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 09:08:31] NOTICE[5789] chan_sip.c: Registration from '"103"<sip:[email protected]>' failed for '221.195.4.13' - No matching peer found
[2010-11-22 10:30:40] NOTICE[5789] chan_sip.c: Registration from '"185391685"<sip:[email protected]>' failed for '196.28.96.10' - No matching peer found
[2010-11-22 10:30:40] NOTICE[5789] chan_sip.c: Registration from '"3703927479"<sip:[email protected]>' failed for '196.28.96.10' - No matching peer found

pbxiaf1616 · Nov 23, 2010

wardmundy said:
[Nov 19 05:27:22] NOTICE[32322] chan_sip.c: Registration from '"4259716852"<sip:[email protected]>' failed for '131.91.129.82' - No matching peer found
[Nov 19 05:27:23] NOTICE[32322] chan_sip.c: Registration from '"407799895"<sip:[email protected]>' failed for '131.91.129.82' - No matching peer found

got one here, do you know this ip?? tried once.

[2010-11-23 05:08:17] NOTICE[2732] chan_sip.c: Registration from '"4265182687"<sip:[email protected]>' failed for '24.38.126.218' - No matching peer found

wardmundy · Nov 23, 2010

Probably a bot on somebody's Windows machine. That's the newest trick. They only make one or two attempts to avoid triggering Fail2Ban.

Bethpage NY US

[SIZE=-1]IP: 24.38.126.218

[/SIZE]

phonebuff · Jan 24, 2011

China ---

Logged 2,449 attempts at SIP. Fail2ban did it's thing but everytime the window expired, back the traffic comes. So now it's blocked by the PFsense box permanetly..

The IP 59.39.66.30 has just been banned by Fail2Ban after
141 attempts against ASTERISK.

[2011-01-24 10:28:56] NOTICE[3815] chan_sip.c: Registration from '"aaron" <sip:[email protected]>' failed for '59.39.66.30' - No matching peer found

inetnum: 59.39.66.16 - 59.39.66.31
netname: shanghaidilianxinxikejifazhanyo
descr: shanghaidilianxinxikejifazhanyouxiangongsi
country: CN
admin-c: FS-AP
tech-c: IC83-AP
mnt-by: MAINT-CHINANET-GD
changed: [email protected] 20091202
status: Allocated non-portable
source: APNIC

marv · Jan 27, 2011

Increasing Amount of Activity

I have noticed that there seems to be an increasing amount of activity occurring with someone trying to connect to my system. :eek:

I host the PBX for my family in various locations, so I do have the SIP ports forwarded on my firewall.
I compiled some clips from my CDR and the associated lines of the log files. Lately it shows connections are coming in from unknown peers. I have Allow Anonymous Inbound SIP Calls set to NO. Any suggestions or comments?

Code:

1.      2011-01-27 00:49:12     SIP/208.38...     test     "test" <test>     s     ANSWERED     00:00

[2011-01-27 00:49:12] VERBOSE[3006] netsock.c:   == Using SIP RTP TOS bits 184
[2011-01-27 00:49:12] VERBOSE[3006] netsock.c:   == Using SIP RTP CoS mark 5
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Executing [000442073479999@from-sip-external:1] NoOp("SIP/208.38.186.200-0000025c", "Received incoming SIP connection from unknown peer to 000442073479999") in new stack
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Executing [000442073479999@from-sip-external:2] Set("SIP/208.38.186.200-0000025c", "DID=000442073479999") in new stack
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Executing [000442073479999@from-sip-external:3] Goto("SIP/208.38.186.200-0000025c", "s,1") in new stack
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Goto (from-sip-external,s,1)
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/208.38.186.200-0000025c", "0?checklang:noanonymous") in new stack
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Goto (from-sip-external,s,5)
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Executing [s@from-sip-external:5] Set("SIP/208.38.186.200-0000025c", "TIMEOUT(absolute)=15") in new stack
[2011-01-27 00:49:12] VERBOSE[1281] func_timeout.c: Channel will hangup at 2011-01-27 00:49:27.039 CST.
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Executing [s@from-sip-external:6] Answer("SIP/208.38.186.200-0000025c", "") in new stack
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:   == Spawn extension (from-sip-external, s, 6) exited non-zero on 'SIP/208.38.186.200-0000025c'
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:     -- Executing [h@from-sip-external:1] Hangup("SIP/208.38.186.200-0000025c", "") in new stack
[2011-01-27 00:49:12] VERBOSE[1281] pbx.c:   == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/208.38.186.200-0000025c'

-------------------------------------

10.      2011-01-26 19:37:16     SIP/212.23...     test     "test" <test>     s     ANSWERED     00:00

[2011-01-26 19:37:16] VERBOSE[3006] netsock.c:   == Using SIP RTP TOS bits 184
[2011-01-26 19:37:16] VERBOSE[3006] netsock.c:   == Using SIP RTP CoS mark 5
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Executing [000442073479999@from-sip-external:1] NoOp("SIP/212.239.57.56-00000240", "Received incoming SIP connection from unknown peer to 000442073479999") in new stack
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Executing [000442073479999@from-sip-external:2] Set("SIP/212.239.57.56-00000240", "DID=000442073479999") in new stack
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Executing [000442073479999@from-sip-external:3] Goto("SIP/212.239.57.56-00000240", "s,1") in new stack
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Goto (from-sip-external,s,1)
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/212.239.57.56-00000240", "0?checklang:noanonymous") in new stack
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Goto (from-sip-external,s,5)
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Executing [s@from-sip-external:5] Set("SIP/212.239.57.56-00000240", "TIMEOUT(absolute)=15") in new stack
[2011-01-26 19:37:16] VERBOSE[32500] func_timeout.c: Channel will hangup at 2011-01-26 19:37:31.475 CST.
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Executing [s@from-sip-external:6] Answer("SIP/212.239.57.56-00000240", "") in new stack
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:   == Spawn extension (from-sip-external, s, 6) exited non-zero on 'SIP/212.239.57.56-00000240'
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:     -- Executing [h@from-sip-external:1] Hangup("SIP/212.239.57.56-00000240", "") in new stack
[2011-01-26 19:37:16] VERBOSE[32500] pbx.c:   == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/212.239.57.56-00000240'

-------------------------------------------

105.      2011-01-25 10:37:02     SIP/194.28...     test     "test" <test>     s     ANSWERED     00:13

[2011-01-25 10:37:02] VERBOSE[3006] netsock.c:   == Using SIP RTP TOS bits 184
[2011-01-25 10:37:02] VERBOSE[3006] netsock.c:   == Using SIP RTP CoS mark 5
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Executing [00442073479999@from-sip-external:1] NoOp("SIP/194.28.112.29-00000121", "Received incoming SIP connection from unknown peer to 00442073479999") in new stack
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Executing [00442073479999@from-sip-external:2] Set("SIP/194.28.112.29-00000121", "DID=00442073479999") in new stack
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Executing [00442073479999@from-sip-external:3] Goto("SIP/194.28.112.29-00000121", "s,1") in new stack
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Goto (from-sip-external,s,1)
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/194.28.112.29-00000121", "0?checklang:noanonymous") in new stack
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Goto (from-sip-external,s,5)
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Executing [s@from-sip-external:5] Set("SIP/194.28.112.29-00000121", "TIMEOUT(absolute)=15") in new stack
[2011-01-25 10:37:02] VERBOSE[27677] func_timeout.c: Channel will hangup at 2011-01-25 10:37:17.642 CST.
[2011-01-25 10:37:02] VERBOSE[27677] pbx.c:     -- Executing [s@from-sip-external:6] Answer("SIP/194.28.112.29-00000121", "") in new stack
[2011-01-25 10:37:03] VERBOSE[27677] pbx.c:     -- Executing [s@from-sip-external:7] Wait("SIP/194.28.112.29-00000121", "2") in new stack
[2011-01-25 10:37:05] VERBOSE[27677] pbx.c:     -- Executing [s@from-sip-external:8] Playback("SIP/194.28.112.29-00000121", "ss-noservice") in new stack
[2011-01-25 10:37:05] VERBOSE[27677] file.c:     -- <SIP/194.28.112.29-00000121> Playing 'ss-noservice.gsm' (language 'en')
[2011-01-25 10:37:10] VERBOSE[27677] pbx.c:     -- Executing [s@from-sip-external:9] PlayTones("SIP/194.28.112.29-00000121", "congestion") in new stack
[2011-01-25 10:37:10] VERBOSE[27677] pbx.c:     -- Executing [s@from-sip-external:10] Congestion("SIP/194.28.112.29-00000121", "5") in new stack
[2011-01-25 10:37:15] VERBOSE[27677] pbx.c:   == Spawn extension (from-sip-external, s, 10) exited non-zero on 'SIP/194.28.112.29-00000121'
[2011-01-25 10:37:15] VERBOSE[27677] pbx.c:     -- Executing [h@from-sip-external:1] Hangup("SIP/194.28.112.29-00000121", "") in new stack
[2011-01-25 10:37:15] VERBOSE[27677] pbx.c:   == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/194.28.112.29-00000121'

----------------------------------------------------

131.      2011-01-25 01:50:45     SIP/74.200...     test     "test" <test>     s     ANSWERED     00:00

[2011-01-25 01:50:45] VERBOSE[3006] netsock.c:   == Using SIP RTP TOS bits 184
[2011-01-25 01:50:45] VERBOSE[3006] netsock.c:   == Using SIP RTP CoS mark 5
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Executing [00442073479999@from-sip-external:1] NoOp("SIP/74.200.194.170-000000d8", "Received incoming SIP connection from unknown peer to 00442073479999") in new stack
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Executing [00442073479999@from-sip-external:2] Set("SIP/74.200.194.170-000000d8", "DID=00442073479999") in new stack
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Executing [00442073479999@from-sip-external:3] Goto("SIP/74.200.194.170-000000d8", "s,1") in new stack
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Goto (from-sip-external,s,1)
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/74.200.194.170-000000d8", "0?checklang:noanonymous") in new stack
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Goto (from-sip-external,s,5)
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Executing [s@from-sip-external:5] Set("SIP/74.200.194.170-000000d8", "TIMEOUT(absolute)=15") in new stack
[2011-01-25 01:50:45] VERBOSE[14083] func_timeout.c: Channel will hangup at 2011-01-25 01:51:00.892 CST.
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Executing [s@from-sip-external:6] Answer("SIP/74.200.194.170-000000d8", "") in new stack
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:   == Spawn extension (from-sip-external, s, 6) exited non-zero on 'SIP/74.200.194.170-000000d8'
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:     -- Executing [h@from-sip-external:1] Hangup("SIP/74.200.194.170-000000d8", "") in new stack
[2011-01-25 01:50:45] VERBOSE[14083] pbx.c:   == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/74.200.194.170-000000d8'

jroper · Jan 27, 2011

Hi

This is inevitable with an open system.

Consider finding out the IP address ranges of your families ISP's and restrict incoming connections to that range, which will reduce the possibility for attack.

Secondly,

"...I have Allow Anonymous Inbound SIP Calls set to NO"

Change it back to yes, add a catchall destination of _. in inbound routes, and pass this to hangup. This will save a "ss-not in service message, and won't ID your platform as FreePBX.

Make sure you have valid and precise entries for all other incoming DID.

Joe

ronaldgibson · Apr 27, 2011

Ward, how did my IP address get on this list?
-A INPUT -s 75.79.4.166 -j DROP

wardmundy · Apr 27, 2011

ronaldgibson said:
Ward, how did my IP address get on this list?
-A INPUT -s 75.79.4.166 -j DROP

Not sure which list you are referring to. Many of the IP addresses came from one of the international blacklist organizations. I'm not a big fan of blacklists primarily because IP addresses turn over a lot and the bad guys invariably infiltrate the lists and post legitimate addresses. Either could account for how this particular address got on any particular list. We've had several of ours on various lists as well including the main PBX in a Flash IP address. :crazy:

rg00dman · Jun 14, 2011

Just wanted to add my noice voice to this

Just wanted to say that after seeing another thread about seeing asterisk in the call logs i decided to read through this thread and realised that these where hack attempts, like many others fail2ban did not pick them up due to the type of attack, the ones against my system where not very much but still more than I want to see ie none!

As soon of you will know I am now hosting my parents phones so I had forwarded port 5060 to my server, and yes in time I will prob set up travlinman for there extensions and show my dad how to use it but for now I simply but there dynamic IP address in the allow field. Anyway back on topic, my router is running tomato which allows you to do port forwards based on incoming IP address so I removed the blanket forward and setup one with just there IP address in it and so far it seems to work, will keep a close eye on the logs and see if I get any more hack attempts, which I shouldnt know.

I assume other routers have this feature as well.

gregc · Jun 14, 2011

Anyway back on topic, my router is running tomato which allows you to do port forwards based on incoming IP address so I removed the blanket forward and setup one with just there IP address in it and so far it seems to work, will keep a close eye on the logs and see if I get any more hack attempts, which I shouldnt know.

I assume other routers have this feature as well.

AKA white-listing. I too run tomato and have ports opened to just our providers and other office. Works wonderfully.

-Greg

Tekmon · Jun 14, 2011

Shhhhhhh

:rolleyes5:

don't live with fishes.

blanchae · Jun 17, 2011

Here's an article on the 10 most common 4 digit passcodes for the iPhone. What makes it interesting is that it would apply to SIP and IAX secrets also. In case the article goes away, here's the list in order of most common:

1. 1234
2. 0000
3. 2580
4. 1111
5. 5555
6. 5683 (spells love)
7. 0582
8. 2222
9. 1212
10. 1998

The also indicated that 4 digit years for the past 20 years are very common as the number tends to have significance to the user.

Here's another report that analyzed 32 million Internet passwords (pdf) with the top ten being:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess - really?
7. rockyou
8. 1234567
9. 12345678
10. abc123

gregc · Jun 17, 2011

I always liked:
try2hackthis8itch

blanchae · Jun 17, 2011

For wireless networks and bluetooth pans, good names are "Alert-Virus-downloading!" or "Trojan_Horse_Activating". That usually discourages people from hacking..

jroper · Jun 18, 2011

One wifi network I saw recently

Use-My-Network-and-I-Kill-Your-Cat

Wifi owner must have had issues.

Joe

tiggerpaws · Jun 19, 2011

I'd tell him "touch my cat and I will shoot your dog."

thefuzz4 · Jun 22, 2011

Gvoice and the any/any incoming hangup destination

So after reading through the whole thread this is a really good read.
My setup has my asterisk box listening on a different port and I do have holes punched through my firewall for this due the fact that I use my Android phone to connect to the asterisk. So far since I stuck it up on some random port my logs are clean.

The one thing that I would like to do though is setup the any/any inbound route. When I attempted to set this up on my system all new inbound gvoice calls had issues and they wouldn't go anywhere.

I noticed that with the setup I have a inbound route that is for the gvoice and no did is specified. I tried to create a inbound route for my gvoice number but no luck with that.

Anyone got a good solution for setting this up with gvoice? Thanks.

blanchae · Jun 22, 2011

thefuzz4

I suggest starting a new thread under the help section. You will be more likely to get help there. (Posting your problem here is called hijacking a thread)

ALERT please report hacks

Guru

Nerd Uno

Guru

Member

Nerd Uno

Guru

Member

Guru

New Member

Nerd Uno

Guru

Guru

Member

Guru

Guru

Guru

Guru

Member

Member

Guru

Forum statistics