attack attempt from 124.217.254.90

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#1
I just got attacked by this IP.

Received a hundred of simultaneous SIP calls from this IP (with different CIDs and different DID destination).

When answered, they masquerade with a realcallerID "asterisk" <asterisk>

They tried to hack the voicemail/password (maybe to try to identify existing extensions)?

All the attack last less than 2 minutes.

I did not however see any registration attempt that would have triggered fail2ban.

PS: yes I allow anonymous sip call to allow inbound enum. However my anonymous sip context has some other restrictions..
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#2
jwhois 124.217.254.90
[Preguntando whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 124.217.224.0 - 124.217.255.255
netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
admin-c: PA124-AP
tech-c: PA124-AP
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-PIRADIUS
changed: hm-changed@apnic.net 20071217
source: APNIC

person: PIRADIUS NET Administrator
nic-hdl: PA124-AP
e-mail: abuse@piradius.net
address: PIRADIUS NET
address: Unit 21-3A, Level 21
address: Plaza DNP 59, Jalan Abdullah Tahir
address: Taman Century Garden
address: 80300 Johor Bahru, Johor
address: Malaysia
phone: +607 334 8605
fax-no: +607 334 8605
country: MY
changed: admin@piradius.net 20071003
mnt-by: MAINT-MY-PIRADIUS
source: APNIC
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#3
Investigate/post the relevant part of
cat /var/log/asterisk/full|grep "124.217.254.90"
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#4
plenty of different simultaneous calls, I'll try to show a brief summary of the important points:
Code:
Executing [900442033935118@from-sip-external:1] 
Executing [9011442033935118@from-sip-external:1]
Executing [90442033935118@from-sip-external:1]
Executing [9442033935118@from-sip-external:1]
Executing [442033935118@from-sip-external:1]
Executing [00442033935118@from-sip-external:1]
Executing [012442033935118@from-sip-external:1]
etc....


Executing [s@ext-did:3] ExecIf("SIP/124.217.254.90-09d3a5a8", "0 |Set|CALLERID(name)=asterisk") in new stack
dialparties.agi: Caller ID name is 'asterisk' number is 'asterisk'


Got SIP response 302 "Moved Temporarily" back from 10.1.1.77
Now forwarding SIP/124.217.254.90-09d3a5a8 to 'Local/*98@from-internal' (thanks to SIP/27-09e837a8)
Executing [*98@from-internal:3] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: Asking for mailbox") in new stack
Executing [*98@from-internal:4] Read("Local/*98@from-internal-5ee7,2", "MAILBOX|vm-login|||3|2") in new stack
<Local/*98@from-internal-54d9,2> Playing 'vm-login' (language 'en')

Executing [*98@from-internal:5] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: Got Mailbox ") in new stack
Executing [*98@from-internal:6] Macro("Local/*98@from-internal-5ee7,2", "get-vmcontext|") in new stack

Executing [s@macro-get-vmcontext:1] Set("Local/*98@from-internal-5ee7,2", "VMCONTEXT=") in new stack
Executing [s@macro-get-vmcontext:2] GotoIf("Local/*98@from-internal-5ee7,2", "1?200:300") in new stack
Goto (macro-get-vmcontext,s,200)
Executing [s@macro-get-vmcontext:200] Set("Local/*98@from-internal-5ee7,2", "VMCONTEXT=default") in new stack
Executing [*98@from-internal:7] MailboxExists("Local/*98@from-internal-5ee7,2", "@default") in new stack
Executing [*98@from-internal:8] GotoIf("Local/*98@from-internal-5ee7,2", "0?good:bad") in new stack
Goto (from-internal,*98,14)
Executing [*98@from-internal:14] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: BAD mailbox @default") in new stack
Executing [*98@from-internal:15] Wait("Local/*98@from-internal-5ee7,2", "1") in new stack
Executing [*98@from-internal:16] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: Asking for password so people cant probe for existence of a mailbox") in new stack
Executing [*98@from-internal:17] Read("Local/*98@from-internal-5ee7,2", "FAKEPW|vm-password|||3|2") in new stack
<Local/*98@from-internal-5ee7,2> Playing 'vm-password' (language 'en')
I discovered a problem in my installation, I installed recently a cisco 7905 I was playing with. I forgot to disable in the extension tab the call waiting. Then when all the other calls arrived, the phone being busy send the channel to *98@from-internal. Context that should not have been allowed from my anonymous-sip inbound route.
 

jammerz

Joined
Sep 7, 2009
Messages
75
Likes
0
Points
0
#5
yikes.

I think I'm going to play with IP country as mentioned in nerdvittles / pbxinflash guys

http://nerdvittles.com/?p=639

just a piece of what they mention, if you have time read through the entire article.


Installing GeoLite Country. To get started, log into your server as root and issue the following commands:

cd /
wget http://bestof.nerdvittles.com/applicati ... ountry.tgz
tar zxvf ipcountry.tgz
rm ipcountry.tgz
cd /root/ipcountry
./nv-ipcountry
as ward and the others seem to be ahead of the curve on this stuff and I would like to see if we can bring over to the elastix iso's as well.

More tests this week...so little time

JF
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,886
Members
17,563
Latest member
dineshr
Top