sipvicious

Discussion in 'General' started by jasong, Aug 20, 2009.

  1. jasong

    Joined:
    Aug 20, 2009
    Messages:
    34
    Likes Received:
    0
    Just a heads up, I installed Elastix yesterday, within one hour of installation I had someone trying to access my Asterisk with Sipvicious. This box has never been used for a SIP registration, so I find it really strange that within an hour of installing Elastix someone knew to scan my IP. They were also able to register with one of my extensions, I use 8 digit extension passwords, and I know for a fact Sipvicious would not have been able to crack my password. Only someone who knew my "default" DB passwords must have accessed mysql to get the password to that extension.

    There are a couple forums out there that explain how to protect yourself against Sip scans. Let me know if you need help. I also recommend changing all of your default Asterisk and Mysql passwords, it was a real pain to change all the passwords, but once completed you will much safer.

    I wonder why Elastix doesn't give you an easy way of changing these password, like Trixbox?
     
  2. leevancleef

    Joined:
    Dec 10, 2008
    Messages:
    47
    Likes Received:
    0
  3. jasong

    Joined:
    Aug 20, 2009
    Messages:
    34
    Likes Received:
    0
    I changed all my passwords and cloned my server to a new IP since I have a static IP, that seemed to eliminate the attempts to access asterisk. I am getting some weird logs in my httpd access log, from http://www.worldofvoracity.com/smf/, not sure why I have traffic originating from that URL, but the site looks suspiciously similar to the one that tried accessing your system.

    Here is something you can do to block against sipvicious attacks. I tried it and it does work

    Code:
    nano /etc/asterisk/sip_custom.conf
    
    add this line
    
    alwaysauthreject=yes
    
    
    Then amportal restart

    That will return the following when sipvicious tries scanning your server

    Code:
    ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
    WARNING:root:found nothing
    Also, someone at Elastix should take the time to make sure their software is secure. It is almost like someone has access to the download logs and what IP addresses downloaded the software.
     
  4. jasong

    Joined:
    Aug 20, 2009
    Messages:
    34
    Likes Received:
    0
  5. leevancleef

    Joined:
    Dec 10, 2008
    Messages:
    47
    Likes Received:
    0
    Hi jasong

    Many thanks for your advice.
    Yes both sites looks quite similar. I don't think that anyone can access elastix download logs, in fact I download it a year ago. I guess that they could sniff voip providers traffic and try luck.
    Right now I'm using ipkall, voipbuster, telsome, eutelia, didww, and gizmo.
    I don't know what to think, if this online gamers websites are hacked, or perhaps this people is attacking us directly. In any case I don't think what they are doing is legal.

    Regards
     

Share This Page