ALERT please report hacks

[phinphan]

I noticed in my cdr a large number of sip calls from 211.100.41.168. Around 100 over a few minute period yesterday. I banned the whole 211.0.0.0 network at the firewall but will implement the any/any suggestion above. Each call was for exactly 20 seconds. I also checked my avantfax server which runs on a separate ip address and it was probed from the same IP addresses.

 

[cosmicwombat]

I too am seeing increased activity.....

Along with the telltale CDR:

2010-01-10 16:53:48 SIP/211.100.41.168-0912d9c0 sip "sip" <sip> s ANSWERED 13
2010-01-10 16:53:49 SIP/211.100.41.168-091359d8 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:53:50 SIP/211.100.41.168-090d7258 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:53:51 SIP/211.100.41.168-09153968 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:53:52 SIP/211.100.41.168-091578e0 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:54:39 SIP/117.34.72.42-090a17e8 sip "sip" <sip> s ANSWERED 13
2010-01-10 16:54:40 SIP/117.34.72.42-090d7258 sip "sip" <sip> s ANSWERED 13
2010-01-10 16:54:41 SIP/117.34.72.42-09112748 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:54:42 SIP/117.34.72.42-0907e280 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:54:43 SIP/117.34.72.42-090c64f0 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:54:44 SIP/117.34.72.42-09099fe0 sip "sip" <sip> s ANSWERED 12
2010-01-10 16:54:44 SIP/117.34.72.42-09032318 sip

I also see (sorry about formating...):

--------------------- httpd Begin ------------------------ Requests with error response codes 400 Bad Request /w00tw00t.at.ISC.SANS.DFind: 1 Time(s) 401 Unauthorized //admin/config/config.inc.php?p=phpinfo();: 1 Time(s) /admin/config.php: 3 Time(s) /panel/index_amp.php?context=: 3 Time(s) 404 Not Found //PHPMYADMIN/config/config.inc.php?p=phpinfo();: 1 Time(s) //dbadmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //myadmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //mysql/config/config.inc.php?p=phpinfo();: 1 Time(s) //p/m/a/config/config.inc.php?p=phpinfo();: 1 Time(s) //php-my-admin/config/config.inc.php?p=phpinfo();: 1 Time(s) //phpMyAdmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //phpmyadmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //pma/config/config.inc.php?p=phpinfo();: 1 Time(s) /e4/thumbnail/single_160x120/29496.jpg?cb=20081022-1: 1 Time(s) /user/index.php: 2 Time(s) http://proxyjudge1.proxyfire.net/fastenv: 1 Time(s) ---------------------- httpd End -------------------------

The last line is somewhat nefarious. It looks like an attempt to get detailed system info. Try the link your self and then imagine if a cracker could get that to run from inside your box and report back to an outside IP.

Then it would just a matter of looking up a table of vulnerabilities.

 

[jpe]

got an attempt to place call

-- Executing [011442073479999@from-sip-external:1] NoOp("SIP/113.105.152.102-b7d1e5e0", "Received incoming SIP connection from unknown peer to 011442073479999") in new stack
    -- Executing [011442073479999@from-sip-external:2] Set("SIP/113.105.152.102-b7d1e5e0", "DID=011442073479999") in new stack
    -- Executing [011442073479999@from-sip-external:3] Goto("1;35;40mSIP/113.105.152.102-b7d1e5e0", "s|1") in new stack
    -- Goto (from-sip-external,s,1)
    -- Executing [s@from-sip-external:1] GotoIf("SIP/113.105.152.102-b7d1e5e0", "0?from-trunk|011442073479999|1") in new stack
    -- Executing [s@from-sip-external:2] Set("SIP/113.105.152.102-b7d1e5e0", "TIMEOUT(absolute)=15") in new stack
    -- Channel will hangup at 2010-07-06 22:02:15 UTC.
    -- Executing [s@from-sip-external:3] Answer("SIP/113.105.152.102-b7d1e5e0", "") in new stack
    -- Executing [s@from-sip-external:4] Wait("SIP/113.105.152.102-b7d1e5e0", "2") in new stack
    -- Executing [s@from-sip-external:5] Playback("SIP/113.105.152.102-b7d1e5e0", "ss-noservice") in new stack
    -- <SIP/113.105.152.102-b7d1e5e0> Playing 'ss-noservice' (language 'en')
    -- Executing [s@from-sip-external:6] PlayTones("SIP/113.105.152.102-b7d1e5e0", "congestion") in new stack
    -- Executing [s@from-sip-external:7] Congestion("SIP/113.105.152.102-b7d1e5e0", "5") in new stack
  == Spawn extension (from-sip-external, s, 7) exited non-zero on 'SIP/113.105.152.102-b7d1e5e0'

sorry, no love for you Mr. Trynamakefreecallsonmybill.

 

[phonebuff]

The last Trixbox I have

Had an attackk on a SIP server from this IP today..

Had 14,350 transaction attempts in between [Aug 3 16:23:03] and [Aug 3 16:39:57] from 204.147.180.37

[Aug  3 16:23:03] NOTICE[2482] chan_sip.c: Registration from '"3944873542"<sip:3944873542@............>' failed for '204.147.180.37' - No matching peer found
....................................................
[Aug  3 16:39:57] NOTICE[2482] chan_sip.c: Registration from '"2204" <sip:2204@............>' failed for '204.147.180.37' - Wrong password

 

[buddyspike]

Suspicious activity?

I have noticed some strange behaviour over the last two weeks where PBX users where reporting dropped calls after 15-20 seconds. After reviewing the logs I found entries like this one right around the time the mysterious dropped calls behaviour seemed to spring up, they then disappeared on their own ...

[2010-08-03 07:58:26] NOTICE[1326] chan_sip.c: Registration from '"2706828744"<sip:2706828744@.........>' failed for '87.234.250.31' - No matching peer found
[2010-08-03 08:02:03] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:02:17] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:05:04] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:09:48] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:19:48] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:29:50] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:38:30] WARNING[1326] chan_sip.c: Maximum retries exceeded on transmission f65f45ae-199e-122e-1e94-0011259e2cd8 for seqno 83512 (Critical Response)
[2010-08-03 08:38:30] WARNING[1326] chan_sip.c: Hanging up call f65f45ae-199e-122e-1e94-0011259e2cd8 - no reply to our critical packet.
[2010-08-03 08:39:35] WARNING[1326] chan_sip.c: Maximum retries exceeded on transmission 1d597a8a-199f-122e-1e94-0011259e2cd8 for seqno 83545 (Critical Response)
[2010-08-03 08:39:35] WARNING[1326] chan_sip.c: Hanging up call 1d597a8a-199f-122e-1e94-0011259e2cd8 - no reply to our critical packet.
[2010-08-03 08:39:50] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:47:25] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:49:52] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:53:28] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:59:31] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 08:59:52] WARNING[1326] chan_sip.c: Remote host can't match request NOTIFY to call '[email protected]'. Giving up.
[2010-08-03 11:59:11] WARNING[10938] app_dial.c: Unable to create channel of type 'SIP' (cause 3 - No route to destination)
[2010-08-03 12:46:20] WARNING[10959] app_dial.c: Unable to create channel of type 'SIP' (cause 3 - No route to destination)
[2010-08-03 14:12:43] WARNING[10989] file.c: Failed to write frame
[2010-08-03 14:45:10] WARNING[10999] file.c: Failed to write frame
[2010-08-03 14:45:47] WARNING[11005] app_dial.c: Unable to create channel of type 'SIP' (cause 3 - No route to destination)
[2010-08-03 14:47:36] WARNING[11015] app_dial.c: Unable to create channel of type 'SIP' (cause 3 - No route to destination)
[2010-08-03 14:48:40] WARNING[11010] file.c: Failed to write frame
[2010-08-03 14:48:40] WARNING[11010] file.c: Failed to write frame
[2010-08-03 15:12:15] WARNING[11035] app_dial.c: Unable to create channel of type 'SIP' (cause 3 - No route to destination)
[2010-08-03 15:12:17] WARNING[11036] app_dial.c: Unable to create channel of type 'SIP' (cause 3 - No route to destination)
[2010-08-03 15:12:52] NOTICE[1326] chan_sip.c: Registration from '"3040370456"<sip:3040370456@.........>' failed for '66.197.141.197' - No matching peer found

This last one above is particularly strange "[2010-08-03 15:12:52] NOTICE[1326] chan_sip.c: Registration from '"3040370456"<sip:3040370456@.........>' failed for '66.197.141.197' - No matching peer found" - I found this same IP trying to connect around same time to several other different PBX boxes that are not related to one another.

Could someone please provide feedback if this makes sense? It looks like someone is/are trying to hack SIP, I have added an Any/Any entry in our incoming routes with a 'blank' enry for DID that point to Terminate Call ==> hang up. Is there any other precautions I should take?:gunsmilieb:

 

[The Deacon]

I'm seeing a bunch of activity against my server again:

[2010-08-13 14:23:42] NOTICE[9188] chan_sip.c: Registration from '"3743757880"<sip:[email protected]>' failed for '141.223.127.157' - No matching peer found
[2010-08-13 14:23:43] NOTICE[9188] chan_sip.c: Registration from '"422845497"<sip:[email protected]>' failed for '141.223.127.157' - No matching peer found
[2010-08-13 14:23:53] NOTICE[9188] chan_sip.c: Registration from '"422845497" <sip:[email protected]>' failed for '141.223.127.157' - No matching peer found
[2010-08-13 14:23:53] NOTICE[9188] chan_sip.c: Registration from '"422845497" <sip:[email protected]>' failed for '141.223.127.157' - No matching peer found
<SNIP>
[2010-08-13 14:53:59] NOTICE[9188] chan_sip.c: Registration from '"422845497" <sip:[email protected]>' failed for '141.223.127.157' - No matching peer found
[2010-08-13 14:53:59] NOTICE[9188] chan_sip.c: Registration from '"422845497" <sip:[email protected]>' failed for '141.223.127.157' - No matching peer found

 

[MyKroFt]

this has been happening for over 12 hrs now - fail2ban has been catching it - but i just perm added the ip to the firewall - got tired of getting the email msgs on my phone

[2010-08-29 09:35:33] NOTICE[23120] chan_sip.c: Registration from '"172" <sip:[email protected]>' failed for '82.210.9.48' - No matching peer found
[2010-08-29 09:35:33] NOTICE[23120] chan_sip.c: Registration from '"172" <sip:[email protected]>' failed for '82.210.9.48' - No matching peer found
[2010-08-29 09:35:34] NOTICE[23120] chan_sip.c: Registration from '"172" <sip:[email protected]>' failed for '82.210.9.48' - No matching peer found
[2010-08-29 09:35:34] NOTICE[23120] chan_sip.c: Registration from '"172" <sip:[email protected]>' failed for '82.210.9.48' - No matching peer found
[2010-08-29 09:35:34] NOTICE[23120] chan_sip.c: Registration from '"172" <sip:[email protected]>' failed for '82.210.9.48' - No matching peer found
[2010-08-29 09:35:34] NOTICE[23120] chan_sip.c: Registration from '"172" <sip:[email protected]>' failed for '82.210.9.48' - No matching peer found

 

[angoyr]

MyKroFt,

That doesn't look like a serious threat to me. Most times the hackers would try different extension numbers. They wouldn't try the same extension multiple times unless you do have an extension 172 and they are trying different passwords. Check to see if you have a remote extension trying to register with the wrong password. If you don't have external devices registering to your server, you should consider changing your configuration.
You can also set fail2ban to "permanently" ban the IP address with "-1" for the "bantime". Permanently is really until you reboot or restart iptables.

One more thing. You may want to edit your post and mask your IP address. The crooks do read these posts to see where the holes are.


Good Luck,

Robin

 

[jpe]

Some clips from a days log files showing people up to no good. So far looks like the system is keeping them at bay. There are at least a hundred or two attempts from about a dozen IPs in this log file.

I'm pretty sure they change IPs daily. Is there some database being kept of them?

I think Security should have it's own forum so issues can be itemized.

[2010-08-26 03:26:46] VERBOSE[15873] logger.c:     -- Executing [828442073479999@from-sip-external:1] NoOp("SIP/218.29.188.104-b7cf16c8", "Received incoming SIP connection from unknown peer to 828442073479999") in new stack
[2010-08-26 03:26:46] VERBOSE[15874] logger.c:     -- Executing [001442073479999@from-sip-external:1] NoOp("SIP/218.29.188.104-b7cf65c0", "Received incoming SIP connection from unknown peer to 001442073479999") in new stack
[2010-08-26 03:26:46] VERBOSE[15875] logger.c:     -- Executing [0442073479999@from-sip-external:1] NoOp("SIP/218.29.188.104-b7cfb4b8", "Received incoming SIP connection from unknown peer to 0442073479999") in new stack
[2010-08-26 03:26:46] VERBOSE[15876] logger.c:     -- Executing [869442073479999@from-sip-external:1] NoOp("SIP/218.29.188.104-b7200408", "Received incoming SIP connection from unknown peer to 869442073479999") in new stack

[2010-08-26 02:23:46] VERBOSE[11746] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/218.16.119.152-b7c9eab8", "ss-noservice") in new stack
[2010-08-26 02:23:46] VERBOSE[11747] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/218.16.119.152-b7ca2a30", "ss-noservice") in new stack
[2010-08-26 02:23:46] VERBOSE[11750] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/218.16.119.152-b7cae898", "ss-noservice") in new stack
[2010-08-26 02:23:46] VERBOSE[11751] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/218.16.119.152-b7cb2810", "ss-noservice") in new stack
[2010-08-26 02:23:46] VERBOSE[11752] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/218.16.119.152-b7cb6788", "ss-noservice") in new stack
[

[2010-08-26 03:44:56] VERBOSE[16876] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/121.12.127.75-b7c057a8", "ss-noservice") in new stack
[2010-08-26 03:44:56] VERBOSE[16877] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/121.12.127.75-b7c06d38", "ss-noservice") in new stack
[2010-08-26 03:44:56] VERBOSE[16878] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/121.12.127.75-b7ca28f8", "ss-noservice") in new stack
[2010-08-26 03:44:56] VERBOSE[16879] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/121.12.127.75-b7ca6870", "ss-noservice") in new stack
[2010-08-26 03:44:56] VERBOSE[16880] logger.c:     -- Executing [s@from-sip-external:5] Playback("SIP/121.12.127.75-b7caa7e8", "ss-noservice") in new stack

Mac User Tip: Use the Console app to read your log files.

 

[rossiv]

Hmm...just checking logs and found this:

Requests with error response codes
    404 Not Found
       /asteridex4: 1 Time(s)
       /cgi-bin/awstats.pl?config=PBXinaFlash: 5 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=318386520&p=10000001: 1 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=42666159&p=10000001: 1 Time(s)
       http://125.45.109.166/proxyheader.php: 1 Time(s)
       http://218.10.111.119/check.php: 1 Time(s)
       http://cashads4u.com/eg/proxyheader.php: 1 Time(s)
       http://www.infodownload.info/proxyheader.php: 1 Time(s)
       http://www.piggmail.com/proxyheader.php: 1 Time(s)

 Requests with error response codes
    400 Bad Request
       /w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
    401 Unauthorized
       /admin: 2 Time(s)
       /admin/config.php?display=ringgroups&extdisplay=GRP-700: 1 Time(s)
       /admin/main.php: 2 Time(s)
    404 Not Found
       /PMA/main.php: 1 Time(s)
       /cgi-bin/awstats.pl?config=PBXinaFlash: 4 Time(s)
       /db/main.php: 1 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=228837888&p=10000001: 1 Time(s)
       /myadmin/main.php: 1 Time(s)
       /mysql/main.php: 1 Time(s)
       /phpMyAdmin/main.php: 1 Time(s)
       /phpadmin/main.php: 1 Time(s)
       /phpmyadmin/main.php: 1 Time(s)
       /pma/main.php: 1 Time(s)
       /webadmin/main.php: 1 Time(s)
       http://images4.byinter.net/PL3303337.gif: 1 Time(s)
       http://proxyjudge1.proxyfire.net/fastenv: 1 Time(s)
       http://seekerfeed.com/proxyheader.php: 3 Time(s)
       http://www.kanzuqiu.com/proxyheader.php: 1 Time(s)
       http://www.piggmail.com/proxyheader.php: 1 Time(s)
       http://www.wantsfly.com/getip.php?hash=4AF ... 6F1766AC22A63CE: 1 Time(s)


 Requests with error response codes
    401 Unauthorized
       /admin/common/encrypt.js: 1 Time(s)
       /admin/common/print.css: 1 Time(s)
       /admin/panel.php: 1 Time(s)
       /panel/index_amp.php?: 1 Time(s)
       /panel/variables.txt?: 1 Time(s)
    404 Not Found
       /cgi-bin/awstats.pl?config=PBXinaFlash: 3 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=101295980&p=10000001: 1 Time(s)
       http://218.10.111.119/check.php: 2 Time(s)
       http://proxyjudge1.proxyfire.net/fastenv: 1 Time(s)
       http://proxyjudge2.proxyfire.net/fastenv: 1 Time(s)
       http://www.piggmail.com/proxyheader.php: 2 Time(s)
       http://www.quickebuy.com/505.php: 1 Time(s)
       http://www.scanproxy.com:80/p-9080.html: 1 Time(s)

Was I hacked? I have no unusual calls, but just those in the Root mailbox logwatch.

 

[tm1000]

Hmm...just checking logs and found this:

Requests with error response codes
    404 Not Found
       /asteridex4: 1 Time(s)
       /cgi-bin/awstats.pl?config=PBXinaFlash: 5 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=318386520&p=10000001: 1 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=42666159&p=10000001: 1 Time(s)
       http://125.45.109.166/proxyheader.php: 1 Time(s)
       http://218.10.111.119/check.php: 1 Time(s)
       http://cashads4u.com/eg/proxyheader.php: 1 Time(s)
       http://www.infodownload.info/proxyheader.php: 1 Time(s)
       http://www.piggmail.com/proxyheader.php: 1 Time(s)

 Requests with error response codes
    400 Bad Request
       /w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
    401 Unauthorized
       /admin: 2 Time(s)
       /admin/config.php?display=ringgroups&extdisplay=GRP-700: 1 Time(s)
       /admin/main.php: 2 Time(s)
    404 Not Found
       /PMA/main.php: 1 Time(s)
       /cgi-bin/awstats.pl?config=PBXinaFlash: 4 Time(s)
       /db/main.php: 1 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=228837888&p=10000001: 1 Time(s)
       /myadmin/main.php: 1 Time(s)
       /mysql/main.php: 1 Time(s)
       /phpMyAdmin/main.php: 1 Time(s)
       /phpadmin/main.php: 1 Time(s)
       /phpmyadmin/main.php: 1 Time(s)
       /pma/main.php: 1 Time(s)
       /webadmin/main.php: 1 Time(s)
       http://images4.byinter.net/PL3303337.gif: 1 Time(s)
       http://proxyjudge1.proxyfire.net/fastenv: 1 Time(s)
       http://seekerfeed.com/proxyheader.php: 3 Time(s)
       http://www.kanzuqiu.com/proxyheader.php: 1 Time(s)
       http://www.piggmail.com/proxyheader.php: 1 Time(s)
       http://www.wantsfly.com/getip.php?hash=4AF ... 6F1766AC22A63CE: 1 Time(s)


 Requests with error response codes
    401 Unauthorized
       /admin/common/encrypt.js: 1 Time(s)
       /admin/common/print.css: 1 Time(s)
       /admin/panel.php: 1 Time(s)
       /panel/index_amp.php?: 1 Time(s)
       /panel/variables.txt?: 1 Time(s)
    404 Not Found
       /cgi-bin/awstats.pl?config=PBXinaFlash: 3 Time(s)
       /din.aspx?s=00000000&client=DynGate&rnd=101295980&p=10000001: 1 Time(s)
       http://218.10.111.119/check.php: 2 Time(s)
       http://proxyjudge1.proxyfire.net/fastenv: 1 Time(s)
       http://proxyjudge2.proxyfire.net/fastenv: 1 Time(s)
       http://www.piggmail.com/proxyheader.php: 2 Time(s)
       http://www.quickebuy.com/505.php: 1 Time(s)
       http://www.scanproxy.com:80/p-9080.html: 1 Time(s)

Was I hacked? I have no unusual calls, but just those in the Root mailbox logwatch.

No you weren't but why in the name of God do you have http open to the outside world!

These are attacks where people are trying to get into your system by checking to see what you have open or if you have viruses. It's normal internet traffic

Please close http or move the port to like port 81 or 83. AVOID 80!

 

[vcallaway]

Just had an interesting hack attempt. Fail2Ban caught it, but I'm trying to figure out how it arrived.

[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"1058690395"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found
[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"100"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found
[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"101"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found
[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"102"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found
[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"2409731417"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found
[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"Administrator"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found
[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"administrator"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found
[2010-10-29 19:19:56] NOTICE[2812] chan_sip.c: Registration from '"admin"<sip:[email protected]>' failed for '77.68.52.218' - No matching peer found

98.125.234.252 is my current outside address. I'm on a dynamic IP.

My firewall is setup with an inbound filter to only allow port 5060 UDP from 209.216.2.211 & 209.216.15.70 which is DIDforSale.com's IP's. Nothing else is open on my D-Link firewall.

Any ideas?

 

[MikeS]

What is in the firewall logs for that time ?


Also, a recent hack. Not PIAF !, but on an * box.


CDR's showed calls to a Taiwan mobile, further investigation showed an unknown registered extension, placing calls through an unknown context.

A little digging, somehow extra context had been added to the end of exten.conf.

Looks like root priv had been obtained, possibly via an http exploit, be warned. DO NOT expose normal http ports.


Maybe some further details after a port mortem.

 

[vcallaway]

Nothing in my router logs.

I do have my extensions locked down to their static IP addresses. Those are all on the same local net.

I also found a couple of online port scanners that would let me test against 5060, not easy to find BTW. My IP came up clean. No holes.

Still baffled.

 

[Derrick32]

Attempted Hack from ITALY!!!!!!

Hey all,
I was running some tests on a new machine, as well as setting up fail2ban. I was having some issues with calls so i ran grep 'fail' /var/log/messages/full and I found some interesting info:

[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"3183146611"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"123"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"1234"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"12345"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"123456"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"test"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"sip"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"user"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"admin"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"pass"<sip[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"password"<sip[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"testing"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"guest"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"voip"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"account"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"passwd"<sip[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"qwerty"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"654321"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"54321"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"4321"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"321"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"pass1"<sip[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"abc123"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"123abc"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"qwerty1"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"123456"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"password"<sip[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"p@ssw0rd"<sip@[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"P@ssw0rd"<sip@[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"Password1"<sip[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"parola"<sip[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"12345678"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"87654321"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:49] NOTICE[3126] chan_sip.c: Registration from '"0000"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:50] NOTICE[3126] chan_sip.c: Registration from '"00"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:50] NOTICE[3126] chan_sip.c: Registration from '"000"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:50] NOTICE[3126] chan_sip.c: Registration from '"000000"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:50] NOTICE[3126] chan_sip.c: Registration from '"00000000"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:50] NOTICE[3126] chan_sip.c: Registration from '"9999"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:50] NOTICE[3126] chan_sip.c: Registration from '"999"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found
[2010-11-17 19:08:50] NOTICE[3126] chan_sip.c: Registration from '"99999999"<sip:[email protected]>' failed for '151.22.71.151' - No matching peer found

Thought maybe I should report this.. This guy at 151.22.71.151 found my machine in a matter of minutes.. CRAZY!!! You can see for yourself his attempts at cracking user name and passwords.. Goes to show strong passwords are a MUST!!!

Thanks,
Derrick

 

[ronaldgibson]

Mine in a few days time

[2010-11-15 18:25:34] NOTICE[3693] chan_sip.c: Registration from '"250640951"<sip:250640951@x>' failed for '209.236.77.95' - No matching peer found
[2010-11-15 18:25:34] NOTICE[3693] chan_sip.c: Registration from '"3944767129"<sip:3944767129@x>' failed for '209.236.77.95' - No matching peer found
[2010-11-15 21:00:04] NOTICE[3693] chan_sip.c: Registration from '"1695642833"<sip:1695642833@x>' failed for '210.34.4.72' - No matching peer found
[2010-11-15 21:00:04] NOTICE[3693] chan_sip.c: Registration from '"1283875896"<sip:1283875896@x>' failed for '210.34.4.72' - No matching peer found
[2010-11-15 22:15:41] NOTICE[3693] chan_sip.c: Registration from '"1228802644"<sip:1228802644@x>' failed for '58.240.51.114' - No matching peer found
[2010-11-16 04:47:14] NOTICE[3693] chan_sip.c: Registration from '"285112412"<sip:285112412@x>' failed for '91.207.234.4' - No matching peer found
[2010-11-16 04:47:30] NOTICE[3693] chan_sip.c: Registration from '"4250813449"<sip:4250813449@x>' failed for '91.207.234.4' - No matching peer found
[2010-11-16 05:09:33] NOTICE[3693] chan_sip.c: Registration from '"789308900"<sip:789308900@x>' failed for '95.142.165.168' - No matching peer found
[2010-11-16 05:09:33] NOTICE[3693] chan_sip.c: Registration from '"402508554"<sip:402508554@x>' failed for '95.142.165.168' - No matching peer found
[2010-11-14 14:54:38] NOTICE[3693] chan_sip.c: Registration from '"225876710"<sip:225876710@x>' failed for '202.162.214.250' - No matching peer found
[2010-11-17 23:58:25] NOTICE[3818] chan_sip.c: Registration from '"2788875233"<sip:2788875233@x>' failed for '67.222.1.189' - No matching peer found
[2010-11-17 23:58:25] NOTICE[3818] chan_sip.c: Registration from '"1617959518"<sip:1617959518@x>' failed for '67.222.1.189' - No matching peer found

Maybe one of these days someone will write a script and collect this info, a "Do No CALL/Hack This PBX". Or an IP Address Page of Shame.

 

[vcallaway]

I've actually been thinking about that.

Something similar to the realtime blacklists that are used for spam filtering.

The RBL's do a blanket deny from most ISP dynamic IP's. Probably would not work for our applications. Not real sure where in the process it should be checked.

fail2ban can easily be used to report to a central server attempts that warrant a ban. The trick is when to check the banned server.

Maybe a thread should be started to kick around some ideas?

 

[wardmundy]

They're Getting Smarter. Only 2 Queries per IP Address...

[Nov 19 05:27:22] NOTICE[32322] chan_sip.c: Registration from '"4259716852"<sip:[email protected]>' failed for '131.91.129.82' - No matching peer found
[Nov 19 05:27:23] NOTICE[32322] chan_sip.c: Registration from '"407799895"<sip:[email protected]>' failed for '131.91.129.82' - No matching peer found

 

[wardmundy]

Here's a nice clump of them you can cut-and-paste into /etc/sysconfig/iptables. Then service iptables restart

-A INPUT -s 69.72.128.0/17 -j DROP
-A INPUT -s 206.71.179.0/24 -j DROP
-A INPUT -s 66.197.128.0/17 -j DROP
-A INPUT -s 70.38.0.0/17 -j DROP
-A INPUT -s 72.55.128.0/18 -j DROP
-A INPUT -s 75.101.128.0/17 -j DROP
-A INPUT -s 147.83.0.0/16 -j DROP
-A INPUT -s 201.15.224.0/24 -j DROP

-A INPUT -s 211.11.141.66 -j DROP
-A INPUT -s 210.127.253.99 -j DROP
-A INPUT -s 209.236.77.95 -j DROP
-A INPUT -s 209.76.47.13 -j DROP
-A INPUT -s 195.33.1.90 -j DROP
-A INPUT -s 193.85.18.72 -j DROP
-A INPUT -s 192.168.2.68 -j DROP
-A INPUT -s 166.195.11.240 -j DROP
-A INPUT -s 151.22.71.151 -j DROP
-A INPUT -s 131.91.129.82 -j DROP
-A INPUT -s 121.14.149.145 -j DROP
-A INPUT -s 119.147.116.157 -j DROP
-A INPUT -s 117.41.229.145 -j DROP
-A INPUT -s 98.64.255.222 -j DROP
-A INPUT -s 93.190.143.10 -j DROP
-A INPUT -s 85.214.32.172 -j DROP
-A INPUT -s 76.122.64.74 -j DROP
-A INPUT -s 75.79.4.166 -j DROP
-A INPUT -s 74.202.84.220 -j DROP
-A INPUT -s 74.209.38.0/24 -j DROP
-A INPUT -s 71.236.1.187 -j DROP
-A INPUT -s 71.198.23.3 -j DROP
-A INPUT -s 66.199.140.187 -j DROP
-A INPUT -s 64.156.192.26 -j DROP
-A INPUT -s 62.146.19.217 -j DROP
-A INPUT -s 59.125.35.242 -j DROP
-A INPUT -s 32.162.43.80 -j DROP
-A INPUT -s 24.13.148.41 -j DROP

 

[wardmundy]

Updated asterisk.conf for Fail2Ban

We have detected a new attack method that wasn't covered by our previous Asterisk failregex entries in Fail2Ban. We will incorporate these into update-fixes shortly, but you can add them yourself if you like. Just replace the existing failregex material in /etc/fail2ban/filter.d/asterisk.conf with the following. And then service fail2ban restart

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')