VoIP Mailing List Archives :: View topic - [asterisk-users] PBX hacked: why hundred of calls to the same number ?

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] PBX hacked: why hundred of calls to the same number ?

Goto page 1, 2 Next

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

oza.4h07 at gmail.com
Guest

Posted: Wed Oct 01, 2014 4:40 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Hi, Someone reported me that from a PBX on which someone gained fraudulent access, he could observe hundreds of calls to the same destination number. For curiosity's sake, I'm wondering why would this happen (dialing the same number over and over) ? Some special numbers generate here and there revenues for callees (and not for callers). Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? In other words, in this case, is looking at callee number a promising path to find hackers ? Regards -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users

admin at tootai.net
Guest

Posted: Wed Oct 01, 2014 8:36 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Le 01/10/2014 11:40, Olivier a écrit :

Quote:

Hi,

Quote:

Someone reported me that from a PBX on which someone gained fraudulent
access, he could observe hundreds of calls to the same destination
number.

For curiosity's sake, I'm wondering why would this happen (dialing the
same number over and over) ?

Some special numbers generate here and there revenues for callees (and
not for callers).
Beside sharing interests with the callee that get those revenues, why
a hacker would like to dial the same numbers over and over ?

callee is also the bad men. Go and buy an 899 number in France, hack
PBXS and call your number Smile

[...]

--
Daniel

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

linux.gokan at gmail.com
Guest

Posted: Wed Oct 01, 2014 8:49 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Quote:

Someone reported me that from a PBX on which someone gained fraudulent
access, he could observe hundreds of calls to the same destination
number.

Quote:

For curiosity's sake, I'm wondering why would this happen (dialing the
same number over and over) ?

Quote:

Some special numbers generate here and there revenues for callees (and
not for callers).
Beside sharing interests with the callee that get those revenues, why
a hacker would like to dial the same numbers over and over ?
In other words, in this case, is looking at callee number a promising
path to find hackers ?

Is there a bot virus ? Do you IP address restrictions ?

On Wed, Oct 1, 2014 at 4:36 PM, Administrator TOOTAI <admin@tootai.net> wrote:

Quote:

Le 01/10/2014 11:40, Olivier a Ã©crit :

Quote:

Hi,

Quote:

callee is also the bad men. Go and buy an 899 number in France, hack PBXS
and call your number :-)

[...]

--
Daniel

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

universe at truemetal.org
Guest

Posted: Wed Oct 01, 2014 11:20 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Am 01.10.2014 11:40, schrieb Olivier:

Quote:

Some special numbers generate here and there revenues for callees (and
not for callers).

Not just some, but ALL numbers generate revenue for the receiving
telecom. (Ok ok, a few exceptions, in the US for example)

This is how telecoms have been earning money, ever have been and will
for a while longer until interconnection fees for incoming traffic will
be dropped completely, it's a work in progress, especially in the EU.
(Unfortunately)

There are 2 schemes:

1) Not so popular, but it's on the rise in the last 1-2 years: get
landline numbers in country xyz, strike a deal with the telco that owns
these numbers so that they'll pass a bit of their revenue on to you, and
find a way to call yourself for free or at a lower rate than these
numbers pay (= abuse your unlimited subscriber plan). The revenue is
usually in the area of 0.00x or even 0.000x per minute, depending on the
country.

2) Just google International Premium Numbers, or short, IPRN. It's a
whole world of its own. Revenue is much higher. These are not "real"
numbers and they never have full worldwide connectivity. So the
fraudster has 2 tasks: 1) find a carrier through which he can reach
these numbers and 2) find a way to call these numbers at a lower rate
than they pay out. 2) is usually accomplished by hacking PBXes (= free
calls), fraudulent apps etc. There are tons of stories of abuse
regarding IPRN out on the web, just research a bit (quite interesting
actually). Some technical background information on 1) How does it work?
Where does the revenue come from you might wonder? First to be said, it
can never work without a fraudulent telecom operator that is part of the
scheme. Imagine you are calling from France to Latvia. Let's say the
call passes France, Switzerland, Czech Republic and then goes to Latvia.
Each carrier on the path passes the call on to the next carrier. Now,
let's say the carrier in the Czech Republic is the evil one. The call
comes in, and they simply say: well, this Latvian number that you just
called belongs to us, we terminate the call here and pick it up. Billing
time starts. Now, they charge the Swiss telco for the incoming call to
Latvia, of course. And the Swiss telco charges the French telecom. The
French telecom charges their subscriber (e.g. hacked PBX). The call
never makes it to Latvia! Now, the Czech Republic telco works together
with an IPRN provider (or they run an evil IPRN service by themselves
kind of anonymously). They pass a bit of the money they get from the
Swiss telecom on to the IPRN "owner" (the fraudster) and keep the
remaining money for themselves. Easy money! This is why IPRNs don't have
worldwide connectivity and can usually never get called from within a
country (path is too short, no fraudulent telecom in between). They can
even be real numbers that belong to someone, in this case, in Latvia, it
doesn't matter. All you need to be is an evil telco where calls transit
through and you have it. How much do you pay to your normal landline
telco for a call to Latvia? To a Latvian mobile number? Let it be 0.25
EUR per minute. Thats what the subscriber pays, the Swiss telecom gets
0.22 of that, the Czech telco 0.20 and the fraudster 0.11. Just an
example - margins are always high with IPRNs. Now you can simply do the
same not with Latvia but with faaar away countries, islands (!) where
calling to is even more expensive and your margins will go waaay up.

Just to be clear: it's totally legit to earn money on incoming calls,
this is the main income source for telcos all over the world. But
abusing your unlimited plan and running IPRNs is not "that" legit I'd
say. Smile

Quote:

Beside sharing interests with the callee that get those revenues, why
a hacker would like to dial the same numbers over and over ?

I don't see another reason.

Quote:

In other words, in this case, is looking at callee number a promising
path to find hackers ?

Not in my experience. Since the fraudulent telcos work together with the
IPRN "owners" you won't succeed. Must be a large-scale fraud scheme with
millions of EURs lost for some authority to investigate properly. Plus,
the IPRN owners even can get paid via Western Union etc. from the IPRN
service, so all they need is a stolen/fake passport... so you are not
left with much except maybe their IP address which, of course, if they
are not totally dumb, isn't theirs. Gotta get in touch with some law
enforcement agency and then catch them when they pick up the money at
the Western Union counter.

I should write a book about that. Razz

Cheers
Markus

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

rainer.piper at soho-p...
Guest

Posted: Thu Oct 02, 2014 12:53 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Am 01.10.2014 um 18:19 schrieb Markus:

Quote:

Am 01.10.2014 11:40, schrieb Olivier:

Quote:

Some special numbers generate here and there revenues for callees (and
not for callers).

Not just some, but ALL numbers generate revenue for the receiving telecom. (Ok ok, a few exceptions, in the US for example)

This is how telecoms have been earning money, ever have been and will for a while longer until interconnection fees for incoming traffic will be dropped completely, it's a work in progress, especially in the EU. (Unfortunately)

There are 2 schemes:

1) Not so popular, but it's on the rise in the last 1-2 years: get landline numbers in country xyz, strike a deal with the telco that owns these numbers so that they'll pass a bit of their revenue on to you, and find a way to call yourself for free or at a lower rate than these numbers pay (= abuse your unlimited subscriber plan). The revenue is usually in the area of 0.00x or even 0.000x per minute, depending on the country.

2) Just google International Premium Numbers, or short, IPRN. It's a whole world of its own. Revenue is much higher. These are not "real" numbers and they never have full worldwide connectivity. So the fraudster has 2 tasks: 1) find a carrier through which he can reach these numbers and 2) find a way to call these numbers at a lower rate than they pay out. 2) is usually accomplished by hacking PBXes (= free calls), fraudulent apps etc. There are tons of stories of abuse regarding IPRN out on the web, just research a bit (quite interesting actually). Some technical background information on 1) How does it work? Where does the revenue come from you might wonder? First to be said, it can never work without a fraudulent telecom operator that is part of the scheme. Imagine you are calling from France to Latvia. Let's say the call passes France, Switzerland, Czech Republic and then goes to Latvia. Each carrier on the path passes the call on to the next carrier. Now, let's say the carrier in the Czech Republic is the evil one. The call comes in, and they simply say: well, this Latvian number that you just called belongs to us, we terminate the call here and pick it up. Billing time starts. Now, they charge the Swiss telco for the incoming call to Latvia, of course. And the Swiss telco charges the French telecom. The French telecom charges their subscriber (e.g. hacked PBX). The call never makes it to Latvia! Now, the Czech Republic telco works together with an IPRN provider (or they run an evil IPRN service by themselves kind of anonymously). They pass a bit of the money they get from the Swiss telecom on to the IPRN "owner" (the fraudster) and keep the remaining money for themselves. Easy money! This is why IPRNs don't have worldwide connectivity and can usually never get called from within a country (path is too short, no fraudulent telecom in between). They can even be real numbers that belong to someone, in this case, in Latvia, it doesn't matter. All you need to be is an evil telco where calls transit through and you have it. How much do you pay to your normal landline telco for a call to Latvia? To a Latvian mobile number? Let it be 0.25 EUR per minute. Thats what the subscriber pays, the Swiss telecom gets 0.22 of that, the Czech telco 0.20 and the fraudster 0.11. Just an example - margins are always high with IPRNs. Now you can simply do the same not with Latvia but with faaar away countries, islands (!) where calling to is even more expensive and your margins will go waaay up.

Just to be clear: it's totally legit to earn money on incoming calls, this is the main income source for telcos all over the world. But abusing your unlimited plan and running IPRNs is not "that" legit I'd say. Smile

Quote:

Beside sharing interests with the callee that get those revenues, why
a hacker would like to dial the same numbers over and over ?

I don't see another reason.

Quote:

In other words, in this case, is looking at callee number a promising
path to find hackers ?

Not in my experience. Since the fraudulent telcos work together with the IPRN "owners" you won't succeed. Must be a large-scale fraud scheme with millions of EURs lost for some authority to investigate properly. Plus, the IPRN owners even can get paid via Western Union etc. from the IPRN service, so all they need is a stolen/fake passport... so you are not left with much except maybe their IP address which, of course, if they are not totally dumb, isn't theirs. Gotta get in touch with some law enforcement agency and then catch them when they pick up the money at the Western Union counter.

I should write a book about that. Razz

Cheers
Markus

Is the destination Number like Country Code +972?

Quote:

+972 59 xxxxxx(x) mobile - Jawall [moving to 7-digit subscriber numbers]

source - http://www.wtng.info/wtng-972-il.html

My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxxxxxxxxxx

This is my log from this morning.:
Oct 2 07:32:15 server /sbin/kamailio[29866]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597613940]00972597613940[/url]

--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de)

rainer.piper at soho-p...
Guest

Posted: Thu Oct 02, 2014 1:33 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Am 01.10.2014 um 15:48 schrieb Gokan Atmaca:

Quote:

Someone reported me that from a PBX on which someone gained fraudulent
access, he could observe hundreds of calls to the same destination
number.

Quote:

For curiosity's sake, I'm wondering why would this happen (dialing the
same number over and over) ?

Quote:

Is there a bot virus ? Do you IP address restrictions ?

I have one SIP Proxy without any outbound trunks/routing and this Proxy is just collecting bad source IPs and bad destination numbers for the database blacklist table
and I use this blacklist table in my productive System.
Â Â

Quote:

On Wed, Oct 1, 2014 at 4:36 PM, Administrator TOOTAI <admin@tootai.net> (admin@tootai.net) wrote:

Quote:

Le 01/10/2014 11:40, Olivier a Ã©crit :

Quote:

Hi,

Hi

0

--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de)

tzafrir.cohen at xorco...
Guest

Posted: Thu Oct 02, 2014 8:41 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote:

Quote:

Is the destination Number like Country Code +972?

+972 59 xxxxxx(x) mobile - Jawall [moving to 7-digit subscriber numbers]

source - http://www.wtng.info/wtng-972-il.html

That page is slightly dated. +972 59 XXXXXXX are all the numbers in the
Palestinian Authority (there are several providers besides Jawall).

Quote:

My SIP Proxy logs all the unauth. INVITEs and I found the a lot
calls go to the Country code +972 xxxxxxxxxxx

As a resident of +972 (+972-4), I'll just note that those hack attempts
are typically related to PA numbers (+972-59) as rates there are higher.

--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen@xorcom.com
+972-50-7952406 mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

dplatt at radagast.org
Guest

Posted: Thu Oct 02, 2014 12:45 pm Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Quote:

Is the destination Number like Country Code +972?

+972 59 xxxxxx(x) mobile - Jawall [moving to 7-digit subscriber numbers]

source - http://www.wtng.info/wtng-972-il.html

My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go
to the Country code +972 xxxxxxxxxxx

I've seen that a very high percentage of the "SIP probing" my Asterisk
system has seen over the past few years, consist of attempts to phone
numbers in +972 (or, more generally, the West Bank and/or Gaza).

It's consistent enough that I've set up a Fail2Ban rule which slaps a
semi-permanent block on any IP address which tries this, even once.

Since the last time I did a firewall-reset, the resulting iptables rules
have blocked over 2000 call attempts (one attacker at 142.54.180.50 has
tried over 1200 times).

These attempts seem to come from all over the world... I'd guess that
the majority are being sent through 'botted systems.

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

rainer.piper at soho-p...
Guest

Posted: Fri Oct 03, 2014 7:52 am Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen:

Quote:

On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote:

Quote:

Is the destination Number like Country Code +972?

+972 59 xxxxxx(x) mobile - Jawall [moving to 7-digit subscriber numbers]

source - http://www.wtng.info/wtng-972-il.html

That page is slightly dated. +972 59 XXXXXXX are all the numbers in the
Palestinian Authority (there are several providers besides Jawall).

Quote:

My SIP Proxy logs all the unauth. INVITEs and I found the a lot
calls go to the Country code +972 xxxxxxxxxxx

As a resident of +972 (+972-4), I'll just note that those hack attempts
are typically related to PA numbers (+972-59) as rates there are higher.

Hi Tzafrir,

ok, the page www.wtng.info is not really up to date.

here some logs to see the variations of the attempt to dial over my proxy

Quote:

Oct 3 11:23:06 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972592910519]00972592910519[/url]
Oct 3 11:42:52 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=972592910519
Oct 3 11:53:15 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=700972592910519
Oct 3 12:06:32 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=200972592910519
Oct 3 12:20:04 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=#[url=callto:00972592910519]00972592910519[/url]
Oct 3 12:32:53 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=*000972592910519
Oct 3 12:45:35 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=*972592910519
Oct 3 12:57:42 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=9999900972592910519
Oct 3 13:09:37 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=7700972592910519
Oct 3 13:21:24 server /sbin/kamailio[7217]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=66600972592910519
Oct 3 13:33:11 server /sbin/kamailio[7218]: NOTICE: <script>: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=555500972592910519

and the source IP

Quote:

69.30.254.234

is coming from

Quote:

OrgName: WholeSale Internet, Inc.
OrgId: WHOLE-125
Address: 324 E. 11th St.
Address: Suite 1000
City: Kansas City
StateProv: MO
PostalCode: 64106
Country: US

very strange Wink

--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: [url=callto:004922897167161]+49 228 97167161[/url]
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de)

rainer.piper at soho-p...
Guest

Posted: Fri Oct 03, 2014 12:53 pm Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL

Quote:

[url=callto:00972597438354]972597438354[/url]Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]
Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354
Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354
Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=*000972597438354
Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354

Am 03.10.2014 um 14:52 schrieb Rainer Piper:

Quote:

Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen:

Quote:

On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote:

Quote:

Is the destination Number like Country Code +972?

+972 59 xxxxxx(x) mobile - Jawall [moving to 7-digit subscriber numbers]

source - http://www.wtng.info/wtng-972-il.html

That page is slightly dated. +972 59 XXXXXXX are all the numbers in the
Palestinian Authority (there are several providers besides Jawall).

Quote:

My SIP Proxy logs all the unauth. INVITEs and I found the a lot
calls go to the Country code +972 xxxxxxxxxxx

As a resident of +972 (+972-4), I'll just note that those hack attempts
are typically related to PA numbers (+972-59) as rates there are higher.

Hi Tzafrir,

ok, the page www.wtng.info is not really up to date.

here some logs to see the variations of the attempt to dial over my proxy

Quote:

and the source IP

Quote:

69.30.254.234

is coming from

Quote:

OrgName: WholeSale Internet, Inc.
OrgId: WHOLE-125
Address: 324 E. 11th St.
Address: Suite 1000
City: Kansas City
StateProv: MO
PostalCode: 64106
Country: US

very strange Wink

EWieling at nyigc.com
Guest

Posted: Fri Oct 03, 2014 1:01 pm Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

We set up our servers to allowguest=yes and autocreatepeer=yes and use a global context setting to point any of those calls to an IVR jail. Attempts stop reasonably quickly.

An empty "room" with an unlocked "door" is far less interesting than a room with the door locked.

From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Rainer Piper
Sent: Friday, October 03, 2014 1:53 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?

the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL

Quote:

[url=callto:00972597438354]972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=*000972597438354Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354

Am 03.10.2014 um 14:52 schrieb Rainer Piper:

Quote:

Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen:

Quote:

On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote:

Quote:

Is the destination Number like Country Code +972? Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

2Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

7Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Hi Tzafrir,

ok, the page www.wtng.info is not really up to date.

here some logs to see the variations of the attempt to dial over my proxy

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

1
and the source IP

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

2
is coming from

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=*000972597438354

0
very strange Wink

asterisk at lists.mino...
Guest

Posted: Fri Oct 03, 2014 1:11 pm Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

On 3/10/14 6:52 pm, Rainer Piper wrote:

Quote:

the attacking server changed the destination Number at 18:53 CEST and
he is still blocked ... LOL
972597438354 <callto:00972597438354>

It's pretty much an everyday occurrence for any internet-connected SIP
system these days...

Quote:

Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354

Many of these attacks come from fairly easily recognised user-agent
strings, so if you fancy doing a bit of packet inspection with your
firewall, you can block many of these before they get as far as your SIP
server(s) themselves.

For example, the sipcli scans you listed above can be blocked fairly
easily with:
iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string
"sipcli" -j DROP

(obviously there are overheads to string searching UDP/5060 packets that
you'll want to consider, and the above won't work if you're using sipcli
legitimately anywhere on your network)

Kind regards,

Chris
--
This email is made from 100% recycled electrons

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

rainer.piper at soho-p...
Guest

Posted: Fri Oct 03, 2014 1:13 pm Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Hi Eric

I like your approach.
I think about stateless redirect the bad boy to the NSA- or Pentagon-IVR
LOL

Am 03.10.2014 um 20:01 schrieb Eric Wieling:

Quote:

<![endif]--> <![endif]-->
We set up our servers to allowguest=yes and autocreatepeer=yes and use a global context setting to point any of those calls to an IVR jail. Attempts stop reasonably quickly.

An empty "room" with an unlocked "door" is far less interesting than a room with the door locked.

From: asterisk-users-bounces@lists.digium.com (asterisk-users-bounces@lists.digium.com) [mailto:asterisk-users-bounces@lists.digium.com (asterisk-users-bounces@lists.digium.com)] On Behalf Of Rainer Piper
Sent: Friday, October 03, 2014 1:53 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?

the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL

Quote:

[url=callto:00972597438354]972597438354[/url]

Quote:

Am 03.10.2014 um 14:52 schrieb Rainer Piper:

Quote:

Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen:

Quote:

On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote:

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

2 Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

7 Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972597438354]00972597438354[/url]

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Hi Tzafrir,

ok, the page www.wtng.info is not really up to date.

here some logs to see the variations of the attempt to dial over my proxy

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=000972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

1
and the source IP

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

2
is coming from

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=972597438354

Quote:

Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: <script>: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=*000972597438354

0
very strange Wink

rainer.piper at soho-p...
Guest

Posted: Fri Oct 03, 2014 1:15 pm Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

Hi Chris,

yes ... it is boring ...
I stop posting ...
Wink

Am 03.10.2014 um 20:11 schrieb Chris Bagnall:

Quote:

On 3/10/14 6:52 pm, Rainer Piper wrote:

Quote:

the attacking server changed the destination Number at 18:53 CEST and
he is still blocked ... LOL
972597438354 [url=callto:00972597438354]<callto:00972597438354>[/url]

It's pretty much an everyday occurrence for any internet-connected SIP system these days...

Quote:

Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354

rainer.piper at soho-p...
Guest

Posted: Fri Oct 03, 2014 1:43 pm Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam

just one more Wink

the source IP just changed to

Quote:

142.0.41.179OrgName: VolumeDrive
OrgId: VOLUM-2
Address: 1143 Northern Blvd
City: Clarks Summit
StateProv: PA
PostalCode: 18411
Country: US

and the destination Number to

Quote:

[url=callto:00972595632276]972595632276[/url]Oct 3 20:26:37 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 142.0.41.179 sipcli/v1.8 rm=INVITE aU=<null> rU=[url=callto:00972595632276]+972595632276[/url]

Am 03.10.2014 um 20:15 schrieb Rainer Piper:

Quote:

Hi Chris,

yes ... it is boring ...
I stop posting ...
Wink

Am 03.10.2014 um 20:11 schrieb Chris Bagnall:

Quote:

On 3/10/14 6:52 pm, Rainer Piper wrote:

Quote:

the attacking server changed the destination Number at 18:53 CEST and
he is still blocked ... LOL
972597438354 [url=callto:00972597438354]<callto:00972597438354>[/url]

It's pretty much an everyday occurrence for any internet-connected SIP system these days...

Quote:

Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours Goto page 1, 2 Next
Page 1 of 2

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum