<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Before you start accusing people of "hacking from China", remember that most of these SIP<br>'probing' attacks (where they go through a 'list' of extensions to see if they 'get a call through')<br>are 'done' from systems that, themselves, were compromised. <br><br>Certainly, a good number of them seem to come from a Chinese-type location, but I have seen <br>others "infected" with this problem in a number of places other then China, including, in one case,<br>here in the US, and it was "attacking" a system on the same ISP (gee, that was "easy" to <br>"find and fix").<br><br>Another one I had to "deal with" (also here in the US) ironically was itself a SIP server/gateway<br>(*not* on port 5060), that got "compromised" to run "attack scripts" to other servers on port 5060.<br>As you can see, irony can be very ironic sometimes :-).<br><br>Perhaps China is a good place for these "hackers" to find systems that are run by people<br>that are unaware of "what's happening" with them.<br><br>In any case, since these "scripts" seem to only be "interested" in SIP servers running on port 5060,<br>changing the port seems to be a REALLY good way to "not have the problem anymore".<br><br>Jim<br><br><div>> Date: Fri, 12 Jul 2013 13:07:06 -0400<br>> From: DwaineGarden@rogers.com<br>> To: bill.hurlock@cpcomms.com<br>> CC: app_rpt-users@ohnosec.org<br>> Subject: Re: [App_rpt-users] App_rpt-users Digest, Vol 52, Issue 31<br>> <br>> I'm going to try that... The hackers from China keep pounding the server non stop. <br>> <br>> Bill Hurlock <bill.hurlock@cpcomms.com> wrote:<br>> <br>> >I had the same problem and the solution I used, because I use SIP, was to change the default SIP port to a non standard port which stopped all the bogus junk from happening.<br>> ><br>> >Bill Hurlock<br>> ><br>> >-----Original Message-----<br>> >From: app_rpt-users-bounces@ohnosec.org [mailto:app_rpt-users-bounces@ohnosec.org] On Behalf Of app_rpt-users-request@ohnosec.org<br>> >Sent: Sunday, June 23, 2013 6:43 PM<br>> >To: app_rpt-users@ohnosec.org<br>> >Subject: App_rpt-users Digest, Vol 52, Issue 31<br>> ><br>> >Send App_rpt-users mailing list submissions to<br>> > app_rpt-users@ohnosec.org<br>> ><br>> >To subscribe or unsubscribe via the World Wide Web, visit<br>> > http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users<br>> >or, via email, send a message with subject or body 'help' to<br>> > app_rpt-users-request@ohnosec.org<br>> ><br>> >You can reach the person managing the list at<br>> > app_rpt-users-owner@ohnosec.org<br>> ><br>> >When replying, please edit your Subject line so it is more specific than "Re: Contents of App_rpt-users digest..."<br>> >_______________________________________________<br>> >App_rpt-users mailing list<br>> >App_rpt-users@ohnosec.org<br>> >http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users<br>> _______________________________________________<br>> App_rpt-users mailing list<br>> App_rpt-users@ohnosec.org<br>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users<br></div> </div></body>
</html>