[App_rpt-users] Hacking Attempts: NOTICE[6719]: chan_sip.c:14418 handle_request_invite:

Bill South wbs099 at yahoo.com
Tue Mar 24 11:30:49 UTC 2015 

These are two different hacks going on.  The ones at the bottom, with the IP addresses, are attempts to register a SIP phone to your system, they fail because the extensions they are attempting to register do not exist on your system.  The logic is that if they can get a phone registered to an extension then they can (hopefully) make free phone calls.  The ones you show at the top of your listing are hackers trying to do the same thing, make free calls, but they are not trying to register a SIP phone but rather going right to trying to make free calls.  All those attempts are attempts to dial a foreign country, code 97 (which doesn't exist) but there are several country codes that contain 97, so they may be trying, unsuccessfully, to reach one of them.

How they find your system is quite easy; they likely run a port scanning program for standard SIP or IAX ports.  Yes, there are millions of IP addresses out there, but a port scanning program can likely scan them all in a relatively short time; weeks or with a fast enough scanning program, maybe days.  If you are on one of the larger ISPs they probably target those IP ranges first.

The simple fix, at least for the SIP registration attempts, is to block port 5060 at your firewall, but of course this also blocks any valid SIP connections you might have to your system.  You could change your SIP port to something other than 5060 but likely they would find it soon enough.  Difficult getting around the hackers to be sure.
--------------------------------------------
On Tue, 3/24/15, Luke Rohn <rohn.luke at gmail.com> wrote:

 Subject: [App_rpt-users] Hacking Attempts: NOTICE[6719]: chan_sip.c:14418	handle_request_invite:
 To: 
 Cc: app_rpt-users at ohnosec.org
 Date: Tuesday, March 24, 2015, 4:52 AM
 
 
 
 
 
 
 
 
 
 Hello, I am getting a different type of
 hacking attempt. Different in the sense that these hacking
 attempts do not have an IP address associated with them that
 can be added to iptables and blocked with the linux
 firewall.These appear to be
 coming from a sip account that is trying to connect to
 extensions on my system that does not exist. They range from 1 or 2 attempts each
 hour, to several hundred requests per hour. Below is a copy
 of the most recent attempts of this nature and then further
 below are the attempts that I am familiar with that contain
 an IP address that just gets added to IP tables and they go
 away. Can someone help me
 understand the best way to handle these hacking attempts and
 how to best secure my system from them?Also, how are these hackers finding my
 system from all of the millions and millions of IP Addresses
 on the internet. Does Asterick send out a beacon to some
 central repository if you will that lists all the IP's
 of Asterisks systems so that hackers have a list of machines
 they can try to exploit? 
 
 Here is a list of what the new
 hacking attempts look like:
 [root at KK7XX ~]# asterisk -r
 Asterisk , Copyright (C) 1999 -
 2008 Digium, Inc. and others.
 Created by Mark Spencer <markster at digium.com>
 Asterisk comes with ABSOLUTELY NO
 WARRANTY; type 'core show warranty' for details.
 This is free software, with
 components licensed under the GNU General Public
 License version 2 and other
 licenses; you are welcome to redistribute it under
 certain conditions. Type 'core
 show license' for details.
 =========================================================================
 Connected to Asterisk  currently
 running on KK7XX (pid = 6712)
 Verbosity is at least 3
 KK7XX*CLI> rpt lstats 28806
 NODE      PEER           
     RECONNECTS  DIRECTION  CONNECT TIME       
 CONNECT STATE
 ----      ----           
     ----------  ---------  ------------       
 -------------
 [[Mar 23 22:38:55] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '0012143299739' rejected because extension not
 found.
 
 
 
 
 
 
 
 
 [Mar 23 22:39:15] WARNING[6719]
 chan_sip.c: Maximum retries exceeded on transmission
 0a86e18b712596ba5ba160f771f680f5 for seqno 1 (Critical
 Response) -- See doc/sip-retransmit.txt.
 [Mar 23 22:47:58] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '000972543480900' rejected because extension not
 found.
 [Mar 23 23:20:57] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '00972598998181' rejected because extension not
 found.
 [Mar 23 23:20:59] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '011972598998181' rejected because extension not
 found.
 [Mar 23 23:21:00] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '1011972598998181' rejected because extension not
 found.
 [Mar 23 23:21:02] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '0011972598998181' rejected because extension not
 found.
 [Mar 23 23:21:03] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '9011972598998181' rejected because extension not
 found.
 [Mar 23 23:21:05] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '+11972598998181' rejected because extension not
 found.
 [Mar 23 23:42:19] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '0011442032902187' rejected because extension not
 found.
 [Mar 23 23:42:39] WARNING[6719]
 chan_sip.c: Maximum retries exceeded on transmission
 8893e02d7f1d65b9f9e93cb1ce75d147 for seqno 1 (Critical
 Response) -- See doc/sip-retransmit.txt.
 [Mar 23 23:48:09] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '00972543480900' rejected because extension not
 found.
 [Mar 24 01:19:41] NOTICE[6719]
 chan_sip.c: Call from '' to extension
 '00972598998181' rejected because extension not
 found.KK7XX*CLI>
 
 
 The above
 hacking attempts are different from the (what I would call)
 normal hacking attempts like the following that have an IP
 address that gets added to iptables and the Linux firewall
 blocks them:
 
 
 
 
 
 
 
 
 [Mar 21 16:38:31] NOTICE[2855]
 chan_sip.c: Registration from '"9996"<sip:9996 at 10.0.0.28:5060>'
 failed for '62.210.251.151' - No matching peer
 found
 [Mar 21 16:38:31] NOTICE[2855]
 chan_sip.c: Registration from '"9997"<sip:9997 at 10.0.0.28:5060>'
 failed for '62.210.251.151' - No matching peer
 found
 [Mar 21 16:38:31] NOTICE[2855]
 chan_sip.c: Registration from '"9998"<sip:9998 at 10.0.0.28:5060>'
 failed for '62.210.251.151' - No matching peer
 found
 [Mar 21 16:38:31] NOTICE[2855]
 chan_sip.c: Registration from '"9999"<sip:9999 at 10.0.0.28:5060>'
 failed for '62.210.251.151' - No matching peer
 found
 
 Any help anyone
 has to offer would greatly be appreciated.
 73, 
 Luke
 -----Inline Attachment Follows-----
 
 _______________________________________________
 App_rpt-users mailing list
 App_rpt-users at ohnosec.org
 http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
 
 To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
 and scroll down to the bottom of the page. Enter your
 email address and press the "Unsubscribe or edit options
 button"
 You do not need a password to unsubscribe, you can do it via
 email confirmation. If you have trouble unsubscribing,
 please send a message to the list detailing the problem.

More information about the App_rpt-users mailing list