[App_rpt-users] Hacking Attempts: NOTICE[6719]: chan_sip.c:14418 handle_request_invite:

Luke Rohn rohn.luke at gmail.com
Tue Mar 24 08:52:33 UTC 2015 

Hello,

I am getting a different type of hacking attempt. Different in the sense
that these hacking attempts do not have an IP address associated with them
that can be added to iptables and blocked with the linux firewall.

These appear to be coming from a sip account that is trying to connect to
extensions on my system that does not exist.

They range from 1 or 2 attempts each hour, to several hundred requests per
hour. Below is a copy of the most recent attempts of this nature and then
further below are the attempts that I am familiar with that contain an IP
address that just gets added to IP tables and they go away.

Can someone help me understand the best way to handle these hacking
attempts and how to best secure my system from them?

Also, how are these hackers finding my system from all of the millions and
millions of IP Addresses on the internet. Does Asterick send out a beacon
to some central repository if you will that lists all the IP's of Asterisks
systems so that hackers have a list of machines they can try to exploit?


Here is a list of what the new hacking attempts look like:


[root at KK7XX ~]# asterisk -r

Asterisk , Copyright (C) 1999 - 2008 Digium, Inc. and others.

Created by Mark Spencer <markster at digium.com>

Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for
details.

This is free software, with components licensed under the GNU General Public

License version 2 and other licenses; you are welcome to redistribute it
under

certain conditions. Type 'core show license' for details.

=========================================================================

Connected to Asterisk  currently running on KK7XX (pid = 6712)

Verbosity is at least 3

KK7XX*CLI> rpt lstats 28806

NODE      PEER                RECONNECTS  DIRECTION  CONNECT TIME
CONNECT STATE

----      ----                ----------  ---------  ------------
-------------

[[Mar 23 22:38:55] NOTICE[6719] chan_sip.c: Call from '' to extension
'0012143299739' rejected because extension not found.

[Mar 23 22:39:15] WARNING[6719] chan_sip.c: Maximum retries exceeded on
transmission 0a86e18b712596ba5ba160f771f680f5 for seqno 1 (Critical
Response) -- See doc/sip-retransmit.txt.

[Mar 23 22:47:58] NOTICE[6719] chan_sip.c: Call from '' to extension
'000972543480900' rejected because extension not found.

[Mar 23 23:20:57] NOTICE[6719] chan_sip.c: Call from '' to extension
'00972598998181' rejected because extension not found.

[Mar 23 23:20:59] NOTICE[6719] chan_sip.c: Call from '' to extension
'011972598998181' rejected because extension not found.

[Mar 23 23:21:00] NOTICE[6719] chan_sip.c: Call from '' to extension
'1011972598998181' rejected because extension not found.

[Mar 23 23:21:02] NOTICE[6719] chan_sip.c: Call from '' to extension
'0011972598998181' rejected because extension not found.

[Mar 23 23:21:03] NOTICE[6719] chan_sip.c: Call from '' to extension
'9011972598998181' rejected because extension not found.

[Mar 23 23:21:05] NOTICE[6719] chan_sip.c: Call from '' to extension
'+11972598998181' rejected because extension not found.

[Mar 23 23:42:19] NOTICE[6719] chan_sip.c: Call from '' to extension
'0011442032902187' rejected because extension not found.

[Mar 23 23:42:39] WARNING[6719] chan_sip.c: Maximum retries exceeded on
transmission 8893e02d7f1d65b9f9e93cb1ce75d147 for seqno 1 (Critical
Response) -- See doc/sip-retransmit.txt.

[Mar 23 23:48:09] NOTICE[6719] chan_sip.c: Call from '' to extension
'00972543480900' rejected because extension not found.

[Mar 24 01:19:41] NOTICE[6719] chan_sip.c: Call from '' to extension
'00972598998181' rejected because extension not found.KK7XX*CLI>



The above hacking attempts are different from the (what I would call)
normal hacking attempts like the following that have an IP address that
gets added to iptables and the Linux firewall blocks them:

[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9996"<
sip:9996 at 10.0.0.28:5060>' failed for '62.210.251.151' - No matching peer
found

[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9997"<
sip:9997 at 10.0.0.28:5060>' failed for '62.210.251.151' - No matching peer
found

[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9998"<
sip:9998 at 10.0.0.28:5060>' failed for '62.210.251.151' - No matching peer
found

[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9999"<
sip:9999 at 10.0.0.28:5060>' failed for '62.210.251.151' - No matching peer
found


Any help anyone has to offer would greatly be appreciated.

73,

Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20150324/c1037de8/attachment.html>

More information about the App_rpt-users mailing list