Posted: Wed May 13, 2009 10:30 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
Hack attempt 100%. Ban it.
--- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
Quote:
From: ContactTel Business <lists@contacttel.com>
Subject: [asterisk-biz] Bad routign or hack attempt ?
To: "'Commercial and Business-Oriented Asterisk Discussion'" <asterisk-biz@lists.digium.com>
Date: Wednesday, May 13, 2009, 7:05 PM
Posted: Wed May 13, 2009 10:47 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
Agreed. We've seen it too.
Pardon the typos, my Blackberry has small buttons.
Elliot Otchet
Calling Circles LLC
----- Original Message -----
From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-bounces@lists.digium.com>
To: Commercial and Business-Oriented Asterisk Discussion <asterisk-biz@lists.digium.com>
Sent: Wed May 13 19:27:03 2009
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
Hack attempt 100%. Ban it.
--- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
Quote:
From: ContactTel Business <lists@contacttel.com>
Subject: [asterisk-biz] Bad routign or hack attempt ?
To: "'Commercial and Business-Oriented Asterisk Discussion'" <asterisk-biz@lists.digium.com>
Date: Wednesday, May 13, 2009, 7:05 PM
This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Thu May 14, 2009 1:19 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
Here is the trace.. please DEVs... add a reporting option to sip stack that
will report on that ip , or something..
This guy has been hacking alot of servers and is currently under FBI
investigation
You see he's using s=Asterisk PBX 1.6.0.5.
>-----Original Message-----
>From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
>bounces@lists.digium.com] On Behalf Of Elliot Otchet
>Sent: May-13-09 7:43 PM
>To: 'asterisk-biz@lists.digium.com'
>Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
>Agreed. We've seen it too.
>
>Pardon the typos, my Blackberry has small buttons.
>Elliot Otchet
>Calling Circles LLC
>
>----- Original Message -----
>From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-
>bounces@lists.digium.com>
>To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>biz@lists.digium.com>
>Sent: Wed May 13 19:27:03 2009
>Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
>
>Hack attempt 100%. Ban it.
>
>--- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
>
>> From: ContactTel Business <lists@contacttel.com>
>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
><asterisk-biz@lists.digium.com>
>> Date: Wednesday, May 13, 2009, 7:05 PM
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Seems someone at MeucciSolutions@93.190.143.10
>> could be trying to break in ..
>>
>>
>>
>> Anyone have heard of any of the 2
>> parts of the uri ?
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> -----Inline Attachment Follows-----
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>_______________________________________________
>--Bandwidth and Colocation Provided by http://www.api-digital.com--
>
>asterisk-biz mailing list
>To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>This message is intended only for the use of the individual (s) or
>entity to which it is addressed and may contain information that is
>privileged, confidential, and/or proprietary to Calling Circles LLC and
>its affiliates. If the reader of this message is not the intended
>recipient, you are hereby notified that any dissemination,
>distribution, forwarding or copying of this communication is prohibited
>without the express permission of the sender. If you have received this
>communication in error, please notify the sender immediately and delete
>the original message.
>_______________________________________________
>--Bandwidth and Colocation Provided by http://www.api-digital.com--
>
>asterisk-biz mailing list
>To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Thu May 14, 2009 1:26 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
ContactTel Business wrote:
Quote:
Here is the trace.. please DEVs... add a reporting option to sip stack that
will report on that ip , or something..
That's not really plausible.
--
Alex Balashov
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Thu May 14, 2009 2:38 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
He's also using this IP address
173.45.67.130
Quote:
From: ContactTel Business <lists@contacttel.com>
Reply-To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
Date: Thu, 14 May 2009 10:15:47 -0400
To: 'Commercial and Business-Oriented Asterisk Discussion'
<asterisk-biz@lists.digium.com>
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
Here is the trace.. please DEVs... add a reporting option to sip stack that
will report on that ip , or something..
This guy has been hacking alot of servers and is currently under FBI
investigation
You see he's using s=Asterisk PBX 1.6.0.5.
>> -----Original Message-----
>> From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
>> bounces@lists.digium.com] On Behalf Of Elliot Otchet
>> Sent: May-13-09 7:43 PM
>> To: 'asterisk-biz@lists.digium.com'
>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>
>> Agreed. We've seen it too.
>>
>> Pardon the typos, my Blackberry has small buttons.
>> Elliot Otchet
>> Calling Circles LLC
>>
>> ----- Original Message -----
>> From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-
>> bounces@lists.digium.com>
>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>> biz@lists.digium.com>
>> Sent: Wed May 13 19:27:03 2009
>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>
>>
>> Hack attempt 100%. Ban it.
>>
>> --- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
>>
>>> From: ContactTel Business <lists@contacttel.com>
>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>> <asterisk-biz@lists.digium.com>
>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Seems someone at MeucciSolutions@93.190.143.10
>>> could be trying to break in ..
>>>
>>>
>>>
>>> Anyone have heard of any of the 2
>>> parts of the uri ?
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -----Inline Attachment Follows-----
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>> This message is intended only for the use of the individual (s) or
>> entity to which it is addressed and may contain information that is
>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>> its affiliates. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination,
>> distribution, forwarding or copying of this communication is prohibited
>> without the express permission of the sender. If you have received this
>> communication in error, please notify the sender immediately and delete
>> the original message.
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Thu May 14, 2009 3:48 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
On May 14, 2009, at 7:25 AM, Alex Balashov wrote:
Quote:
ContactTel Business wrote:
> Here is the trace.. please DEVs... add a reporting option to sip
> stack that
> will report on that ip , or something..
That's not really plausible.
Well, that's not entirely true.
There is an effort under way to create a separate logging channel for
security events, which each channel method could then populate with
incidents it feels are "bad" - this would obviously be channel-
dependent, but there are some common criteria for VoIP connection
issues that can be standardized. An external program would then have
to make sense of those events. At a minimum, a framework for
reporting illegitimate (and legitimate) authentication or
authorization attempts would allow forensics in a post-event situation
and/or permit external scripting to deflect some of the attack methods.
This was discussed to some degree on -dev, and extensively at the
Asterisk European Developers Meet-Up, though a summary proposal has
yet to be sent to -dev for discussion. If anyone is interested in
helping with the effort, I'd suggest keeping an eye on the -dev
mailing list for the write-up.
JT
----
John Todd email:jtodd@digium.com
Digium, Inc. | Asterisk Open Source Community Director
445 Jan Davis Drive NW - Huntsville AL 35806 - USA
direct: +1-256-428-6083 http://www.digium.com/
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Thu May 14, 2009 4:47 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
It would be a good start to get an IP address for everything a SIP client
does that gets logged.
I have a customer who insists on keeping the guest option turned to on and
from time to time there are funny people who try to dial out phone numbers
(and of course get no where), however the message doesn't log the IP
address so I cannot use it with something like fail2ban.
I would like to have it with the peer name, so I always have peer name +
ip address on all logged messages for SIP or IAX
On Thu, 14 May 2009, Ken Rice wrote:
Quote:
Date: Thu, 14 May 2009 10:35:06 -0500
From: Ken Rice <krice@rmktek.com>
Reply-To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
He's also using this IP address
173.45.67.130
> From: ContactTel Business <lists@contacttel.com>
> Reply-To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz@lists.digium.com>
> Date: Thu, 14 May 2009 10:15:47 -0400
> To: 'Commercial and Business-Oriented Asterisk Discussion'
> <asterisk-biz@lists.digium.com>
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> Here is the trace.. please DEVs... add a reporting option to sip stack that
> will report on that ip , or something..
> This guy has been hacking alot of servers and is currently under FBI
> investigation
> You see he's using s=Asterisk PBX 1.6.0.5.
>
>
>
>
> U 2009/05/14 06:42:17.973715 93.190.143.10:5060 -> 174.x.x.x:5060
> INVITE sip:98103619990127@174.x.x.xSIP/2.0.
> Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK3f5cffbb;rport.
> Max-Forwards: 70.
> From: "MeucciSolutions" <sip:MeucciSolutions@93.190.143.10>;tag=as123b6c7b.
> To: <sip:98103619990127@174.x.x.x>.
> Contact: <sip:MeucciSolutions@93.190.143.10>.
> Call-ID: 271aa7a750168cf60a36ad654a713caa@93.190.143.10.
> CSeq: 102 INVITE.
> User-Agent: MeucciSolutions.
> Date: Thu, 14 May 2009 10:42:25 GMT.
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
> Supported: replaces, timer.
> Content-Type: application/sdp.
> Content-Length: 287.
> .
> v=0.
> o=root 634218215 634218215 IN IP4 93.190.143.10.
> s=Asterisk PBX 1.6.0.5.
> c=IN IP4 93.190.143.10.
> t=0 0.
> m=audio 10990 RTP/AVP 8 0 101.
> a=rtpmap:8 PCMA/8000.
> a=rtpmap:0 PCMU/8000.
> a=rtpmap:101 telephone-event/8000.
> a=fmtp:101 0-16.
> a=silenceSupp:off - - - -.
> a=ptime:20.
> a=sendrecv.
>
>
>>> -----Original Message-----
>>> From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
>>> bounces@lists.digium.com] On Behalf Of Elliot Otchet
>>> Sent: May-13-09 7:43 PM
>>> To: 'asterisk-biz@lists.digium.com'
>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>
>>> Agreed. We've seen it too.
>>>
>>> Pardon the typos, my Blackberry has small buttons.
>>> Elliot Otchet
>>> Calling Circles LLC
>>>
>>> ----- Original Message -----
>>> From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-
>>> bounces@lists.digium.com>
>>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>>> biz@lists.digium.com>
>>> Sent: Wed May 13 19:27:03 2009
>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>
>>>
>>> Hack attempt 100%. Ban it.
>>>
>>> --- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
>>>
>>>> From: ContactTel Business <lists@contacttel.com>
>>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>>> <asterisk-biz@lists.digium.com>
>>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Seems someone at MeucciSolutions@93.190.143.10
>>>> could be trying to break in ..
>>>>
>>>>
>>>>
>>>> Anyone have heard of any of the 2
>>>> parts of the uri ?
>>>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -----Inline Attachment Follows-----
>>>>
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>> This message is intended only for the use of the individual (s) or
>>> entity to which it is addressed and may contain information that is
>>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>>> its affiliates. If the reader of this message is not the intended
>>> recipient, you are hereby notified that any dissemination,
>>> distribution, forwarding or copying of this communication is prohibited
>>> without the express permission of the sender. If you have received this
>>> communication in error, please notify the sender immediately and delete
>>> the original message.
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Thu May 14, 2009 5:18 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
Yeah it would be great to have it log a cdr style DB for sip calls with all the usual CDR information along with SIP specific information like IP of the user, codec being used, login, ect ,ect for tracking these type things and also for other reporting I can see doing if I had that data.
James Shigley
Monroe Telephone Answering Service
409-981-9213
Infinity 5.5,UC 4.02.3803, Blink 3.0.104
Ecreator:2.21, eResponse 1.1.7
Webportal,WebApps,
CONFIDENTIALITY NOTICE: This email, including any attachments, contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.
"Common sense is the collection of prejudices acquired by age eighteen." -- Albert Einstein
"Once you can accept the universe as matter expanding into nothing that is something,wearing stripes with plaid comes easy." -- Albert Einstein
"Theory is when you know something, but it doesn't work. Practice is when
something works, but you don't know why. Programmers combine theory and
practice: Nothing works and they don't know why.-Anonymous Developer"
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of Stephane Bakhos
Sent: Thursday, May 14, 2009 12:46 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
It would be a good start to get an IP address for everything a SIP client
does that gets logged.
I have a customer who insists on keeping the guest option turned to on and
from time to time there are funny people who try to dial out phone numbers
(and of course get no where), however the message doesn't log the IP
address so I cannot use it with something like fail2ban.
I would like to have it with the peer name, so I always have peer name +
ip address on all logged messages for SIP or IAX
On Thu, 14 May 2009, Ken Rice wrote:
Quote:
Date: Thu, 14 May 2009 10:35:06 -0500
From: Ken Rice <krice@rmktek.com>
Reply-To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
He's also using this IP address
173.45.67.130
> From: ContactTel Business <lists@contacttel.com>
> Reply-To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz@lists.digium.com>
> Date: Thu, 14 May 2009 10:15:47 -0400
> To: 'Commercial and Business-Oriented Asterisk Discussion'
> <asterisk-biz@lists.digium.com>
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> Here is the trace.. please DEVs... add a reporting option to sip stack that
> will report on that ip , or something..
> This guy has been hacking alot of servers and is currently under FBI
> investigation
> You see he's using s=Asterisk PBX 1.6.0.5.
>
>
>
>
> U 2009/05/14 06:42:17.973715 93.190.143.10:5060 -> 174.x.x.x:5060
> INVITE sip:98103619990127@174.x.x.xSIP/2.0.
> Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK3f5cffbb;rport.
> Max-Forwards: 70.
> From: "MeucciSolutions" <sip:MeucciSolutions@93.190.143.10>;tag=as123b6c7b.
> To: <sip:98103619990127@174.x.x.x>.
> Contact: <sip:MeucciSolutions@93.190.143.10>.
> Call-ID: 271aa7a750168cf60a36ad654a713caa@93.190.143.10.
> CSeq: 102 INVITE.
> User-Agent: MeucciSolutions.
> Date: Thu, 14 May 2009 10:42:25 GMT.
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
> Supported: replaces, timer.
> Content-Type: application/sdp.
> Content-Length: 287.
> .
> v=0.
> o=root 634218215 634218215 IN IP4 93.190.143.10.
> s=Asterisk PBX 1.6.0.5.
> c=IN IP4 93.190.143.10.
> t=0 0.
> m=audio 10990 RTP/AVP 8 0 101.
> a=rtpmap:8 PCMA/8000.
> a=rtpmap:0 PCMU/8000.
> a=rtpmap:101 telephone-event/8000.
> a=fmtp:101 0-16.
> a=silenceSupp:off - - - -.
> a=ptime:20.
> a=sendrecv.
>
>
>>> -----Original Message-----
>>> From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
>>> bounces@lists.digium.com] On Behalf Of Elliot Otchet
>>> Sent: May-13-09 7:43 PM
>>> To: 'asterisk-biz@lists.digium.com'
>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>
>>> Agreed. We've seen it too.
>>>
>>> Pardon the typos, my Blackberry has small buttons.
>>> Elliot Otchet
>>> Calling Circles LLC
>>>
>>> ----- Original Message -----
>>> From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-
>>> bounces@lists.digium.com>
>>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>>> biz@lists.digium.com>
>>> Sent: Wed May 13 19:27:03 2009
>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>
>>>
>>> Hack attempt 100%. Ban it.
>>>
>>> --- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
>>>
>>>> From: ContactTel Business <lists@contacttel.com>
>>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>>> <asterisk-biz@lists.digium.com>
>>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Seems someone at MeucciSolutions@93.190.143.10
>>>> could be trying to break in ..
>>>>
>>>>
>>>>
>>>> Anyone have heard of any of the 2
>>>> parts of the uri ?
>>>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -----Inline Attachment Follows-----
>>>>
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>> This message is intended only for the use of the individual (s) or
>>> entity to which it is addressed and may contain information that is
>>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>>> its affiliates. If the reader of this message is not the intended
>>> recipient, you are hereby notified that any dissemination,
>>> distribution, forwarding or copying of this communication is prohibited
>>> without the express permission of the sender. If you have received this
>>> communication in error, please notify the sender immediately and delete
>>> the original message.
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Thu May 14, 2009 5:40 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
On Thu, 14 May 2009, James A. Shigley wrote:
Quote:
Yeah it would be great to have it log a cdr style DB for sip calls with all the usual CDR information along with SIP specific information like IP of the user, codec being used, login, ect ,ect for tracking these type things and also for other reporting I can see doing if I had that data.
So why not add this to your dialplan? You could then stuff the value into
the userfield of the cdr record.
Posted: Thu May 14, 2009 6:59 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
While I would agree with other comments that guest access can be a bad idea in general, you can certainly mitigate your risk by being proactive in your dialplan. Doing so helps you get at all of the information requested by others in this thread.
The premise of my comments below are based on the fact that you've already decided to let the public access Asterisk via SIP (or IAX, as the case may be).
Configure your guest context to gracefully handle "unknown" extensions in your dialplan (e.g. _X.) and you can do anything you want to with the information (e.g. log it to a database, block it with iptables, etc.). You could even use NoOp to send this back out with the full sip URI(or Channel Name, CallerID, or etc.) to your console.
Being that you're opening a door on the server to let the public come in, you also might want callers sent to an IVR (or operator) that helps them get to where you want them in your business. You could also place these callers into an AGI to check to see if the sip uri has already made X other invalid attempts in the last Y hours/minutes/seconds. If it has, you could have the AGI add an entry to iptables that blocks that host from accessing Asterisk or your network entirely.
While yes, technically, this no longer truly rejects the call - this is a guest context set up specifically to allow calls from unregistered/unidentified callers. Seems to me you get the best of both worlds and can now manage the outcome.
I'd be happy to spend a few minutes discussing this off-line if anyone has questions.
-Elliot
P.S. We still do need a better story for unsuccessful registration attempts (e.g. password cracking), but that's a different topic for another day.
P.S.S. Here's the basic information obtained by a DumpChannel when one of our systems was being hacked in this manner:
Variables:
SIPCALLID=5561404f5e98813548578b336c604b5f@93.190.143.10
SIPUSERAGENT=MeucciSolutions
SIPDOMAIN=X.X.X.X (replaced to protect the innocent)
SIPURI=sip:MeucciSolutions@93.190.143.10
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of James A. Shigley
Sent: Thursday, May 14, 2009 2:24 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
Yeah it would be great to have it log a cdr style DB for sip calls with all the usual CDR information along with SIP specific information like IP of the user, codec being used, login, ect ,ect for tracking these type things and also for other reporting I can see doing if I had that data.
James Shigley
Monroe Telephone Answering Service
409-981-9213
Infinity 5.5,UC 4.02.3803, Blink 3.0.104
Ecreator:2.21, eResponse 1.1.7
Webportal,WebApps,
CONFIDENTIALITY NOTICE: This email, including any attachments, contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.
"Common sense is the collection of prejudices acquired by age eighteen." -- Albert Einstein
"Once you can accept the universe as matter expanding into nothing that is something,wearing stripes with plaid comes easy." -- Albert Einstein
"Theory is when you know something, but it doesn't work. Practice is when
something works, but you don't know why. Programmers combine theory and
practice: Nothing works and they don't know why.-Anonymous Developer"
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of Stephane Bakhos
Sent: Thursday, May 14, 2009 12:46 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
It would be a good start to get an IP address for everything a SIP client
does that gets logged.
I have a customer who insists on keeping the guest option turned to on and
from time to time there are funny people who try to dial out phone numbers
(and of course get no where), however the message doesn't log the IP
address so I cannot use it with something like fail2ban.
I would like to have it with the peer name, so I always have peer name +
ip address on all logged messages for SIP or IAX
On Thu, 14 May 2009, Ken Rice wrote:
Quote:
Date: Thu, 14 May 2009 10:35:06 -0500
From: Ken Rice <krice@rmktek.com>
Reply-To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
He's also using this IP address
173.45.67.130
> From: ContactTel Business <lists@contacttel.com>
> Reply-To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz@lists.digium.com>
> Date: Thu, 14 May 2009 10:15:47 -0400
> To: 'Commercial and Business-Oriented Asterisk Discussion'
> <asterisk-biz@lists.digium.com>
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> Here is the trace.. please DEVs... add a reporting option to sip stack that
> will report on that ip , or something..
> This guy has been hacking alot of servers and is currently under FBI
> investigation
> You see he's using s=Asterisk PBX 1.6.0.5.
>
>
>
>
> U 2009/05/14 06:42:17.973715 93.190.143.10:5060 -> 174.x.x.x:5060
> INVITE sip:98103619990127@174.x.x.xSIP/2.0.
> Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK3f5cffbb;rport.
> Max-Forwards: 70.
> From: "MeucciSolutions" <sip:MeucciSolutions@93.190.143.10>;tag=as123b6c7b.
> To: <sip:98103619990127@174.x.x.x>.
> Contact: <sip:MeucciSolutions@93.190.143.10>.
> Call-ID: 271aa7a750168cf60a36ad654a713caa@93.190.143.10.
> CSeq: 102 INVITE.
> User-Agent: MeucciSolutions.
> Date: Thu, 14 May 2009 10:42:25 GMT.
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
> Supported: replaces, timer.
> Content-Type: application/sdp.
> Content-Length: 287.
> .
> v=0.
> o=root 634218215 634218215 IN IP4 93.190.143.10.
> s=Asterisk PBX 1.6.0.5.
> c=IN IP4 93.190.143.10.
> t=0 0.
> m=audio 10990 RTP/AVP 8 0 101.
> a=rtpmap:8 PCMA/8000.
> a=rtpmap:0 PCMU/8000.
> a=rtpmap:101 telephone-event/8000.
> a=fmtp:101 0-16.
> a=silenceSupp:off - - - -.
> a=ptime:20.
> a=sendrecv.
>
>
>>> -----Original Message-----
>>> From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
>>> bounces@lists.digium.com] On Behalf Of Elliot Otchet
>>> Sent: May-13-09 7:43 PM
>>> To: 'asterisk-biz@lists.digium.com'
>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>
>>> Agreed. We've seen it too.
>>>
>>> Pardon the typos, my Blackberry has small buttons.
>>> Elliot Otchet
>>> Calling Circles LLC
>>>
>>> ----- Original Message -----
>>> From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-
>>> bounces@lists.digium.com>
>>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>>> biz@lists.digium.com>
>>> Sent: Wed May 13 19:27:03 2009
>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>
>>>
>>> Hack attempt 100%. Ban it.
>>>
>>> --- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
>>>
>>>> From: ContactTel Business <lists@contacttel.com>
>>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>>> <asterisk-biz@lists.digium.com>
>>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Seems someone at MeucciSolutions@93.190.143.10
>>>> could be trying to break in ..
>>>>
>>>>
>>>>
>>>> Anyone have heard of any of the 2
>>>> parts of the uri ?
>>>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -----Inline Attachment Follows-----
>>>>
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>> This message is intended only for the use of the individual (s) or
>>> entity to which it is addressed and may contain information that is
>>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>>> its affiliates. If the reader of this message is not the intended
>>> recipient, you are hereby notified that any dissemination,
>>> distribution, forwarding or copying of this communication is prohibited
>>> without the express permission of the sender. If you have received this
>>> communication in error, please notify the sender immediately and delete
>>> the original message.
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Fri May 15, 2009 7:39 am Post subject: [asterisk-biz] Bad routign or hack attempt ?
Of course the guests access don't have free run on the extension and they
are limited.
However running an AGI script just to handle them seems not to be very
efficient, since some of these bots/people tend to do a lot of connections
in a small burst and running a bunch of AGI just to handle them is going
to be really wasteful in terms of resource consumptions.
With fail2ban, I could have it monitor the output of the logs from
asterisk, possibly even on a gateway firewall, and then take appropriate
actions after x denies. However that isn't possible if I don't have the
IP address of the ill manered "guest".
On Thu, 14 May 2009, Elliot Otchet wrote:
Quote:
Date: Thu, 14 May 2009 15:40:06 -0400
From: Elliot Otchet <elliot.otchet@callingcircles.com>
Reply-To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
While I would agree with other comments that guest access can be a bad
idea in general, you can certainly mitigate your risk by being proactive
in your dialplan. Doing so helps you get at all of the information
requested by others in this thread.
The premise of my comments below are based on the fact that you've
already decided to let the public access Asterisk via SIP (or IAX, as
the case may be).
Configure your guest context to gracefully handle "unknown" extensions
in your dialplan (e.g. _X.) and you can do anything you want to with the
information (e.g. log it to a database, block it with iptables, etc.).
You could even use NoOp to send this back out with the full sip URI(or
Channel Name, CallerID, or etc.) to your console.
Being that you're opening a door on the server to let the public come
in, you also might want callers sent to an IVR (or operator) that helps
them get to where you want them in your business. You could also place
these callers into an AGI to check to see if the sip uri has already
made X other invalid attempts in the last Y hours/minutes/seconds. If
it has, you could have the AGI add an entry to iptables that blocks that
host from accessing Asterisk or your network entirely.
While yes, technically, this no longer truly rejects the call - this is
a guest context set up specifically to allow calls from
unregistered/unidentified callers. Seems to me you get the best of both
worlds and can now manage the outcome.
I'd be happy to spend a few minutes discussing this off-line if anyone
has questions.
-Elliot
P.S. We still do need a better story for unsuccessful registration
attempts (e.g. password cracking), but that's a different topic for
another day. P.S.S. Here's the basic information obtained by a
DumpChannel when one of our systems was being hacked in this manner:
Variables:
SIPCALLID=5561404f5e98813548578b336c604b5f@93.190.143.10
SIPUSERAGENT=MeucciSolutions
SIPDOMAIN=X.X.X.X (replaced to protect the innocent)
SIPURI=sip:MeucciSolutions@93.190.143.10
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of James A. Shigley
Sent: Thursday, May 14, 2009 2:24 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
Yeah it would be great to have it log a cdr style DB for sip calls with all the usual CDR information along with SIP specific information like IP of the user, codec being used, login, ect ,ect for tracking these type things and also for other reporting I can see doing if I had that data.
James Shigley
Monroe Telephone Answering Service
409-981-9213
Infinity 5.5,UC 4.02.3803, Blink 3.0.104
Ecreator:2.21, eResponse 1.1.7
Webportal,WebApps,
CONFIDENTIALITY NOTICE: This email, including any attachments, contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.
"Common sense is the collection of prejudices acquired by age eighteen." -- Albert Einstein
"Once you can accept the universe as matter expanding into nothing that is something,wearing stripes with plaid comes easy." -- Albert Einstein
"Theory is when you know something, but it doesn't work. Practice is when
something works, but you don't know why. Programmers combine theory and
practice: Nothing works and they don't know why.-Anonymous Developer"
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of Stephane Bakhos
Sent: Thursday, May 14, 2009 12:46 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
It would be a good start to get an IP address for everything a SIP client
does that gets logged.
I have a customer who insists on keeping the guest option turned to on and
from time to time there are funny people who try to dial out phone numbers
(and of course get no where), however the message doesn't log the IP
address so I cannot use it with something like fail2ban.
I would like to have it with the peer name, so I always have peer name +
ip address on all logged messages for SIP or IAX
On Thu, 14 May 2009, Ken Rice wrote:
> Date: Thu, 14 May 2009 10:35:06 -0500
> From: Ken Rice <krice@rmktek.com>
> Reply-To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz@lists.digium.com>
> To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz@lists.digium.com>
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> He's also using this IP address
> 173.45.67.130
>
>
>
>
>> From: ContactTel Business <lists@contacttel.com>
>> Reply-To: Commercial and Business-Oriented Asterisk Discussion
>> <asterisk-biz@lists.digium.com>
>> Date: Thu, 14 May 2009 10:15:47 -0400
>> To: 'Commercial and Business-Oriented Asterisk Discussion'
>> <asterisk-biz@lists.digium.com>
>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>
>> Here is the trace.. please DEVs... add a reporting option to sip stack that
>> will report on that ip , or something..
>> This guy has been hacking alot of servers and is currently under FBI
>> investigation
>> You see he's using s=Asterisk PBX 1.6.0.5.
>>
>>
>>
>>
>> U 2009/05/14 06:42:17.973715 93.190.143.10:5060 -> 174.x.x.x:5060
>> INVITE sip:98103619990127@174.x.x.xSIP/2.0.
>> Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK3f5cffbb;rport.
>> Max-Forwards: 70.
>> From: "MeucciSolutions" <sip:MeucciSolutions@93.190.143.10>;tag=as123b6c7b.
>> To: <sip:98103619990127@174.x.x.x>.
>> Contact: <sip:MeucciSolutions@93.190.143.10>.
>> Call-ID: 271aa7a750168cf60a36ad654a713caa@93.190.143.10.
>> CSeq: 102 INVITE.
>> User-Agent: MeucciSolutions.
>> Date: Thu, 14 May 2009 10:42:25 GMT.
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
>> Supported: replaces, timer.
>> Content-Type: application/sdp.
>> Content-Length: 287.
>> .
>> v=0.
>> o=root 634218215 634218215 IN IP4 93.190.143.10.
>> s=Asterisk PBX 1.6.0.5.
>> c=IN IP4 93.190.143.10.
>> t=0 0.
>> m=audio 10990 RTP/AVP 8 0 101.
>> a=rtpmap:8 PCMA/8000.
>> a=rtpmap:0 PCMU/8000.
>> a=rtpmap:101 telephone-event/8000.
>> a=fmtp:101 0-16.
>> a=silenceSupp:off - - - -.
>> a=ptime:20.
>> a=sendrecv.
>>
>>
>>>> -----Original Message-----
>>>> From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
>>>> bounces@lists.digium.com] On Behalf Of Elliot Otchet
>>>> Sent: May-13-09 7:43 PM
>>>> To: 'asterisk-biz@lists.digium.com'
>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>
>>>> Agreed. We've seen it too.
>>>>
>>>> Pardon the typos, my Blackberry has small buttons.
>>>> Elliot Otchet
>>>> Calling Circles LLC
>>>>
>>>> ----- Original Message -----
>>>> From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-
>>>> bounces@lists.digium.com>
>>>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>>>> biz@lists.digium.com>
>>>> Sent: Wed May 13 19:27:03 2009
>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>
>>>>
>>>> Hack attempt 100%. Ban it.
>>>>
>>>> --- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
>>>>
>>>>> From: ContactTel Business <lists@contacttel.com>
>>>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>>>> <asterisk-biz@lists.digium.com>
>>>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Seems someone at MeucciSolutions@93.190.143.10
>>>>> could be trying to break in ..
>>>>>
>>>>>
>>>>>
>>>>> Anyone have heard of any of the 2
>>>>> parts of the uri ?
>>>>>
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -----Inline Attachment Follows-----
>>>>>
>>>>> _______________________________________________
>>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>>
>>>>> asterisk-biz mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>
>>>> This message is intended only for the use of the individual (s) or
>>>> entity to which it is addressed and may contain information that is
>>>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>>>> its affiliates. If the reader of this message is not the intended
>>>> recipient, you are hereby notified that any dissemination,
>>>> distribution, forwarding or copying of this communication is prohibited
>>>> without the express permission of the sender. If you have received this
>>>> communication in error, please notify the sender immediately and delete
>>>> the original message.
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
Posted: Fri May 15, 2009 2:19 pm Post subject: [asterisk-biz] Bad routign or hack attempt ?
Stephane,
I realize sometimes things can get lost in language translation and interpretation so to be clear and make sure your customers are protected I wanted you (and anyone else still having issues with this) to understand that what you are trying to accomplish can be done today, without AGI. AGI can help those who want to do more with the call, but it isn't necessary.
Functions and variables within the dialplanu can get all of the information you need and deal with it (e.g. log it to a file for fail2ban to process). Below is an example of how you might obtain and log the issue (without going to an AGI):
Now you can take fail2ban, a simple failregex, and point it at your new log file. You do have the IP address of the offending peer, you probably just didn't realize how to get it logged in a format that you needed. No modification to Asterisk needed.
Regards,
Elliot Otchet
Calling Circles LLC
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of Stephane Bakhos
Sent: Friday, May 15, 2009 4:38 AM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
Of course the guests access don't have free run on the extension and they
are limited.
However running an AGI script just to handle them seems not to be very
efficient, since some of these bots/people tend to do a lot of connections
in a small burst and running a bunch of AGI just to handle them is going
to be really wasteful in terms of resource consumptions.
With fail2ban, I could have it monitor the output of the logs from
asterisk, possibly even on a gateway firewall, and then take appropriate
actions after x denies. However that isn't possible if I don't have the
IP address of the ill manered "guest".
On Thu, 14 May 2009, Elliot Otchet wrote:
Quote:
Date: Thu, 14 May 2009 15:40:06 -0400
From: Elliot Otchet <elliot.otchet@callingcircles.com>
Reply-To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
While I would agree with other comments that guest access can be a bad
idea in general, you can certainly mitigate your risk by being proactive
in your dialplan. Doing so helps you get at all of the information
requested by others in this thread.
The premise of my comments below are based on the fact that you've
already decided to let the public access Asterisk via SIP (or IAX, as
the case may be).
Configure your guest context to gracefully handle "unknown" extensions
in your dialplan (e.g. _X.) and you can do anything you want to with the
information (e.g. log it to a database, block it with iptables, etc.).
You could even use NoOp to send this back out with the full sip URI(or
Channel Name, CallerID, or etc.) to your console.
Being that you're opening a door on the server to let the public come
in, you also might want callers sent to an IVR (or operator) that helps
them get to where you want them in your business. You could also place
these callers into an AGI to check to see if the sip uri has already
made X other invalid attempts in the last Y hours/minutes/seconds. If
it has, you could have the AGI add an entry to iptables that blocks that
host from accessing Asterisk or your network entirely.
While yes, technically, this no longer truly rejects the call - this is
a guest context set up specifically to allow calls from
unregistered/unidentified callers. Seems to me you get the best of both
worlds and can now manage the outcome.
I'd be happy to spend a few minutes discussing this off-line if anyone
has questions.
-Elliot
P.S. We still do need a better story for unsuccessful registration
attempts (e.g. password cracking), but that's a different topic for
another day. P.S.S. Here's the basic information obtained by a
DumpChannel when one of our systems was being hacked in this manner:
Variables:
SIPCALLID=5561404f5e98813548578b336c604b5f@93.190.143.10
SIPUSERAGENT=MeucciSolutions
SIPDOMAIN=X.X.X.X (replaced to protect the innocent)
SIPURI=sip:MeucciSolutions@93.190.143.10
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of James A. Shigley
Sent: Thursday, May 14, 2009 2:24 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
Yeah it would be great to have it log a cdr style DB for sip calls with all the usual CDR information along with SIP specific information like IP of the user, codec being used, login, ect ,ect for tracking these type things and also for other reporting I can see doing if I had that data.
James Shigley
Monroe Telephone Answering Service
409-981-9213
Infinity 5.5,UC 4.02.3803, Blink 3.0.104
Ecreator:2.21, eResponse 1.1.7
Webportal,WebApps,
CONFIDENTIALITY NOTICE: This email, including any attachments, contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.
"Common sense is the collection of prejudices acquired by age eighteen." -- Albert Einstein
"Once you can accept the universe as matter expanding into nothing that is something,wearing stripes with plaid comes easy." -- Albert Einstein
"Theory is when you know something, but it doesn't work. Practice is when
something works, but you don't know why. Programmers combine theory and
practice: Nothing works and they don't know why.-Anonymous Developer"
-----Original Message-----
From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of Stephane Bakhos
Sent: Thursday, May 14, 2009 12:46 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
It would be a good start to get an IP address for everything a SIP client
does that gets logged.
I have a customer who insists on keeping the guest option turned to on and
from time to time there are funny people who try to dial out phone numbers
(and of course get no where), however the message doesn't log the IP
address so I cannot use it with something like fail2ban.
I would like to have it with the peer name, so I always have peer name +
ip address on all logged messages for SIP or IAX
On Thu, 14 May 2009, Ken Rice wrote:
> Date: Thu, 14 May 2009 10:35:06 -0500
> From: Ken Rice <krice@rmktek.com>
> Reply-To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz@lists.digium.com>
> To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz@lists.digium.com>
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> He's also using this IP address
> 173.45.67.130
>
>
>
>
>> From: ContactTel Business <lists@contacttel.com>
>> Reply-To: Commercial and Business-Oriented Asterisk Discussion
>> <asterisk-biz@lists.digium.com>
>> Date: Thu, 14 May 2009 10:15:47 -0400
>> To: 'Commercial and Business-Oriented Asterisk Discussion'
>> <asterisk-biz@lists.digium.com>
>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>
>> Here is the trace.. please DEVs... add a reporting option to sip stack that
>> will report on that ip , or something..
>> This guy has been hacking alot of servers and is currently under FBI
>> investigation
>> You see he's using s=Asterisk PBX 1.6.0.5.
>>
>>
>>
>>
>> U 2009/05/14 06:42:17.973715 93.190.143.10:5060 -> 174.x.x.x:5060
>> INVITE sip:98103619990127@174.x.x.xSIP/2.0.
>> Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK3f5cffbb;rport.
>> Max-Forwards: 70.
>> From: "MeucciSolutions" <sip:MeucciSolutions@93.190.143.10>;tag=as123b6c7b.
>> To: <sip:98103619990127@174.x.x.x>.
>> Contact: <sip:MeucciSolutions@93.190.143.10>.
>> Call-ID: 271aa7a750168cf60a36ad654a713caa@93.190.143.10.
>> CSeq: 102 INVITE.
>> User-Agent: MeucciSolutions.
>> Date: Thu, 14 May 2009 10:42:25 GMT.
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
>> Supported: replaces, timer.
>> Content-Type: application/sdp.
>> Content-Length: 287.
>> .
>> v=0.
>> o=root 634218215 634218215 IN IP4 93.190.143.10.
>> s=Asterisk PBX 1.6.0.5.
>> c=IN IP4 93.190.143.10.
>> t=0 0.
>> m=audio 10990 RTP/AVP 8 0 101.
>> a=rtpmap:8 PCMA/8000.
>> a=rtpmap:0 PCMU/8000.
>> a=rtpmap:101 telephone-event/8000.
>> a=fmtp:101 0-16.
>> a=silenceSupp:off - - - -.
>> a=ptime:20.
>> a=sendrecv.
>>
>>
>>>> -----Original Message-----
>>>> From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-
>>>> bounces@lists.digium.com] On Behalf Of Elliot Otchet
>>>> Sent: May-13-09 7:43 PM
>>>> To: 'asterisk-biz@lists.digium.com'
>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>
>>>> Agreed. We've seen it too.
>>>>
>>>> Pardon the typos, my Blackberry has small buttons.
>>>> Elliot Otchet
>>>> Calling Circles LLC
>>>>
>>>> ----- Original Message -----
>>>> From: asterisk-biz-bounces@lists.digium.com <asterisk-biz-
>>>> bounces@lists.digium.com>
>>>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>>>> biz@lists.digium.com>
>>>> Sent: Wed May 13 19:27:03 2009
>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>
>>>>
>>>> Hack attempt 100%. Ban it.
>>>>
>>>> --- On Wed, 5/13/09, ContactTel Business <lists@contacttel.com> wrote:
>>>>
>>>>> From: ContactTel Business <lists@contacttel.com>
>>>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>>>> <asterisk-biz@lists.digium.com>
>>>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Seems someone at MeucciSolutions@93.190.143.10
>>>>> could be trying to break in ..
>>>>>
>>>>>
>>>>>
>>>>> Anyone have heard of any of the 2
>>>>> parts of the uri ?
>>>>>
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -----Inline Attachment Follows-----
>>>>>
>>>>> _______________________________________________
>>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>>
>>>>> asterisk-biz mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>
>>>> This message is intended only for the use of the individual (s) or
>>>> entity to which it is addressed and may contain information that is
>>>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>>>> its affiliates. If the reader of this message is not the intended
>>>> recipient, you are hereby notified that any dissemination,
>>>> distribution, forwarding or copying of this communication is prohibited
>>>> without the express permission of the sender. If you have received this
>>>> communication in error, please notify the sender immediately and delete
>>>> the original message.
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum