Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOne New Zealand (including Vodafone, WxC, Farmside)[WXC/VFX] Locking down SIP traffic
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 
gchiu

1211 posts

Uber Geek

Trusted
DR

  #1079330 3-Jul-2014 13:28
Send private message

For what it's worth, I ran sipscanner on my address, and it says nothing found.  Not sure why port 80 is open ... need to close it.

http://sipscanner.voicefraud.com/report/9L1CcegDGcA6



hio77
12999 posts

Uber Geek

ID Verified
Trusted
Lizard Networks

  #1079331 3-Jul-2014 13:29
Send private message

gchiu: For what it's worth, I ran sipscanner on my address, and it says nothing found.  Not sure why port 80 is open ... need to close it.

http://sipscanner.voicefraud.com/report/9L1CcegDGcA6


probably your router if you dont have it open on your asterisk box. 




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1079372 3-Jul-2014 13:58
Send private message

gchiu: Here's the first message from tcpdump:

10:38:59.926315 IP (tos 0x0, ttl 111, id 29952, offset 0, flags [none], proto UDP (17), length 795)
62.210.187.134.5070 > 192.168.1.180.5060: [udp sum ok] SIP, length: 767
INVITE sip:90060972595561294@58.28.152.22 SIP/2.0
To: 90060972595561294<sip:90060972595561294@58.28.152.22>
From: 10001<sip:10001@58.28.152.22>;tag=57da019d
Via: SIP/2.0/UDP 62.210.187.134:5070;branch=z9hG4bK-69ca466cab181a1529d61d41f5ac747f;rport
Call-ID: 69ca466cab181a1529d61d41f5ac747f
CSeq: 1 INVITE
Contact: <sip:10001@62.210.187.134:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 284

v=0
o=sipcli-Session 1617787993 291094220 IN IP4 62.210.187.134
s=sipcli
c=IN IP4 62.210.187.134
t=0 0
m=audio 5072 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv




Classic capture of a bot trying to exploit your system.



gchiu

1211 posts

Uber Geek

Trusted
DR

  #1079396 3-Jul-2014 14:13
Send private message

The User-Agent: sipcli/v1.8 does suggest this! lol

It's pretending to be a remote extension 10001 on my system, but after that I have no idea of what it is trying to achieve.

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1079446 3-Jul-2014 15:05
Send private message

By the look of that single capture it's possible it's trying to route a call to Malaysia by dialing 90060 + number (just a guess since Mayalsia is +60 as it's IDD code)

Predigits are still the norm in many places so it's trying 9 as the predigit.

gchiu

1211 posts

Uber Geek

Trusted
DR

  #1079528 3-Jul-2014 17:11
Send private message

So dissecting this a bit more

INVITE sip:90060972595561294@58.28.152.22 SIP/2.0

This guy wants to talk to 90060972595561294@58.28.152.22 which is an extension on my network

To: 90060972595561294<sip:90060972595561294@58.28.152.22>

And the To: header says the same

From: 10001<sip:10001@58.28.152.22>;tag=57da019d

Purporting to be from extension 10001 on my network

Via: SIP/2.0/UDP 62.210.187.134:5070;branch=z9hG4bK-69ca466cab181a1529d61d41f5ac747f;rport

but calling from  62.210.187.134:5070

Call-ID: 69ca466cab181a1529d61d41f5ac747f
CSeq: 1 INVITE

...

Contact: <sip:10001@62.210.187.134:5070>

and wants me to contact him here if I need to!

So, he is asking my Asterisk server to call the extension 90060972595561294 which is actually an international dial string. And the 9 is hoping it will allow the call to access an outside line.

Interesting.

Pretty sure I setup rules to block overseas calls, but I'll have to review what I did when I setup the server 2 years ago :(

PS: I read the sipscanner on this joker, and it looks like it's a 2008 server running there

sip thief

gchiu

1211 posts

Uber Geek

Trusted
DR

  #1079735 4-Jul-2014 08:03
Send private message

Success.  Although I still had 10Mb of traffic overnight, Asterisk now reports no inbound calls. Which means I won't be playing that gsm file anymore.

It has changed again so now only 2Mb of uploads, and 8mb of downloads.  I guess 6mb of that iare attacks on my server, and 4mb is return traffic to the VOIP providers who keep connecting/registering/options etc.

Does that sound right?

1 | 2 | 3 | 4 
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright