attack attempt from 124.217.254.90

Discussion in 'General' started by Patrick_elx, May 2, 2009.

  1. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    I just got attacked by this IP.

    Received a hundred of simultaneous SIP calls from this IP (with different CIDs and different DID destination).

    When answered, they masquerade with a realcallerID "asterisk" <asterisk>

    They tried to hack the voicemail/password (maybe to try to identify existing extensions)?

    All the attack last less than 2 minutes.

    I did not however see any registration attempt that would have triggered fail2ban.

    PS: yes I allow anonymous sip call to allow inbound enum. However my anonymous sip context has some other restrictions..
     
  2. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    jwhois 124.217.254.90
    [Preguntando whois.apnic.net]
    [whois.apnic.net]
    % [whois.apnic.net node-1]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 124.217.224.0 - 124.217.255.255
    netname: PIRADIUS-NET
    descr: PIRADIUS NET
    country: MY
    admin-c: PA124-AP
    tech-c: PA124-AP
    status: ALLOCATED PORTABLE
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object, please contact APNIC
    remarks: hostmasters and include your organisation's account
    remarks: name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    mnt-by: APNIC-HM
    mnt-lower: MAINT-MY-PIRADIUS
    changed: hm-changed@apnic.net 20071217
    source: APNIC

    person: PIRADIUS NET Administrator
    nic-hdl: PA124-AP
    e-mail: abuse@piradius.net
    address: PIRADIUS NET
    address: Unit 21-3A, Level 21
    address: Plaza DNP 59, Jalan Abdullah Tahir
    address: Taman Century Garden
    address: 80300 Johor Bahru, Johor
    address: Malaysia
    phone: +607 334 8605
    fax-no: +607 334 8605
    country: MY
    changed: admin@piradius.net 20071003
    mnt-by: MAINT-MY-PIRADIUS
    source: APNIC
     
  3. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Investigate/post the relevant part of
    cat /var/log/asterisk/full|grep "124.217.254.90"
     
  4. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    plenty of different simultaneous calls, I'll try to show a brief summary of the important points:
    Code:
    Executing [900442033935118@from-sip-external:1] 
    Executing [9011442033935118@from-sip-external:1]
    Executing [90442033935118@from-sip-external:1]
    Executing [9442033935118@from-sip-external:1]
    Executing [442033935118@from-sip-external:1]
    Executing [00442033935118@from-sip-external:1]
    Executing [012442033935118@from-sip-external:1]
    etc....
    
    
    Executing [s@ext-did:3] ExecIf("SIP/124.217.254.90-09d3a5a8", "0 |Set|CALLERID(name)=asterisk") in new stack
    dialparties.agi: Caller ID name is 'asterisk' number is 'asterisk'
    
    
    Got SIP response 302 "Moved Temporarily" back from 10.1.1.77
    Now forwarding SIP/124.217.254.90-09d3a5a8 to 'Local/*98@from-internal' (thanks to SIP/27-09e837a8)
    Executing [*98@from-internal:3] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: Asking for mailbox") in new stack
    Executing [*98@from-internal:4] Read("Local/*98@from-internal-5ee7,2", "MAILBOX|vm-login|||3|2") in new stack
    <Local/*98@from-internal-54d9,2> Playing 'vm-login' (language 'en')
    
    Executing [*98@from-internal:5] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: Got Mailbox ") in new stack
    Executing [*98@from-internal:6] Macro("Local/*98@from-internal-5ee7,2", "get-vmcontext|") in new stack
    
    Executing [s@macro-get-vmcontext:1] Set("Local/*98@from-internal-5ee7,2", "VMCONTEXT=") in new stack
    Executing [s@macro-get-vmcontext:2] GotoIf("Local/*98@from-internal-5ee7,2", "1?200:300") in new stack
    Goto (macro-get-vmcontext,s,200)
    Executing [s@macro-get-vmcontext:200] Set("Local/*98@from-internal-5ee7,2", "VMCONTEXT=default") in new stack
    Executing [*98@from-internal:7] MailboxExists("Local/*98@from-internal-5ee7,2", "@default") in new stack
    Executing [*98@from-internal:8] GotoIf("Local/*98@from-internal-5ee7,2", "0?good:bad") in new stack
    Goto (from-internal,*98,14)
    Executing [*98@from-internal:14] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: BAD mailbox @default") in new stack
    Executing [*98@from-internal:15] Wait("Local/*98@from-internal-5ee7,2", "1") in new stack
    Executing [*98@from-internal:16] NoOp("Local/*98@from-internal-5ee7,2", "app-dialvm: Asking for password so people cant probe for existence of a mailbox") in new stack
    Executing [*98@from-internal:17] Read("Local/*98@from-internal-5ee7,2", "FAKEPW|vm-password|||3|2") in new stack
    <Local/*98@from-internal-5ee7,2> Playing 'vm-password' (language 'en')
    
    
    I discovered a problem in my installation, I installed recently a cisco 7905 I was playing with. I forgot to disable in the extension tab the call waiting. Then when all the other calls arrived, the phone being busy send the channel to *98@from-internal. Context that should not have been allowed from my anonymous-sip inbound route.
     
  5. jammerz

    Joined:
    Sep 7, 2009
    Messages:
    75
    Likes Received:
    0
    yikes.

    I think I'm going to play with IP country as mentioned in nerdvittles / pbxinflash guys

    http://nerdvittles.com/?p=639

    just a piece of what they mention, if you have time read through the entire article.


    Installing GeoLite Country. To get started, log into your server as root and issue the following commands:

    cd /
    wget http://bestof.nerdvittles.com/applicati ... ountry.tgz
    tar zxvf ipcountry.tgz
    rm ipcountry.tgz
    cd /root/ipcountry
    ./nv-ipcountry
    as ward and the others seem to be ahead of the curve on this stuff and I would like to see if we can bring over to the elastix iso's as well.

    More tests this week...so little time

    JF
     

Share This Page