Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354 callto:00972597438354 Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=00972597438354 callto:00972597438354 Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=000972597438354 Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=972597438354 Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=*000972597438354 Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=100972597438354 Am 03.10.2014 um 14:52 schrieb Rainer Piper: Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen: On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote: Is the destination Number like Country Code +972? +972 59 xx(x) mobile - Jawall [moving to 7-digit subscriber numbers] source -http://www.wtng.info/wtng-972-il.html That page is slightly dated. +972 59 XXX are all the numbers in the Palestinian Authority (there are several providers besides Jawall). My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxx As a resident of +972 (+972-4), I'll just note that those hack attempts are typically related to PA numbers (+972-59) as rates there are higher. Hi Tzafrir, ok, the page www.wtng.info is not really up to date. here some logs to see the variations of the attempt to dial over my proxy Oct 3 11:23:06 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=00972592910519 callto:00972592910519 Oct 3 11:42:52 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=972592910519 Oct 3 11:53:15 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=700972592910519 Oct 3 12:06:32 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=200972592910519 Oct 3 12:20:04 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=#00972592910519 callto:00972592910519 Oct 3 12:32:53 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=*000972592910519 Oct 3 12:45:35 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=*972592910519 Oct 3 12:57:42 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=900972592910519 Oct 3 13:09:37 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=7700972592910519 Oct 3 13:21:24 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=66600972592910519 Oct 3 13:33:11 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=00972592910519 and the source IP 69.30.254.234 is coming from OrgName:WholeSale Internet, Inc. OrgId: WHOLE-125 Address:324 E. 11th St. Address:Suite 1000 City: Kansas City StateProv: MO PostalCode: 64106 Country:US very strange ;-) -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 callto:004922897167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
We set up our servers to allowguest=yes and autocreatepeer=yes and use a global context setting to point any of those calls to an IVR jail.Attempts stop reasonably quickly. An empty room with an unlocked door is far less interesting than a room with the door locked. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Rainer Piper Sent: Friday, October 03, 2014 1:53 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ? the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354callto:00972597438354 Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=00972597438354callto:00972597438354 Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=000972597438354 Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=972597438354 Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=*000972597438354 Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=100972597438354 Am 03.10.2014 um 14:52 schrieb Rainer Piper: Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen: On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote: Is the destination Number like Country Code +972? +972 59 xx(x) mobile - Jawall [moving to 7-digit subscriber numbers] source - http://www.wtng.info/wtng-972-il.html That page is slightly dated. +972 59 XXX are all the numbers in the Palestinian Authority (there are several providers besides Jawall). My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxx As a resident of +972 (+972-4), I'll just note that those hack attempts are typically related to PA numbers (+972-59) as rates there are higher. Hi Tzafrir, ok, the page www.wtng.infohttp://www.wtng.info is not really up to date. here some logs to see the variations of the attempt to dial over my proxy Oct 3 11:23:06 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=00972592910519callto:00972592910519 Oct 3 11:42:52 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=972592910519 Oct 3 11:53:15 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=700972592910519 Oct 3 12:06:32 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=200972592910519 Oct 3 12:20:04 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=#00972592910519callto:00972592910519 Oct 3 12:32:53 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=*000972592910519 Oct 3 12:45:35 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=*972592910519 Oct 3 12:57:42 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=900972592910519 Oct 3 13:09:37 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=7700972592910519 Oct 3 13:21:24 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=66600972592910519 Oct 3 13:33:11 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=00972592910519 and the source IP 69.30.254.234 is coming from OrgName:WholeSale Internet, Inc. OrgId: WHOLE-125 Address:324 E. 11th St. Address:Suite 1000 City: Kansas City StateProv: MO PostalCode: 64106 Country:US very strange ;-) -- Rainer Piper Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161callto:004922897167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.demailto:rai...@xmpp.soho-piper.de -- Rainer Piper Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.demailto:rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
On 3/10/14 6:52 pm, Rainer Piper wrote: the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354 callto:00972597438354 It's pretty much an everyday occurrence for any internet-connected SIP system these days... Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=100972597438354 Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP server(s) themselves. For example, the sipcli scans you listed above can be blocked fairly easily with: iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string sipcli -j DROP (obviously there are overheads to string searching UDP/5060 packets that you'll want to consider, and the above won't work if you're using sipcli legitimately anywhere on your network) Kind regards, Chris -- This email is made from 100% recycled electrons -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Hi Eric I like your approach. I think about stateless redirect the bad boy to the NSA- or Pentagon-IVR LOL Am 03.10.2014 um 20:01 schrieb Eric Wieling: We set up our servers to allowguest=yes and autocreatepeer=yes and use a global context setting to point any of those calls to an IVR jail.Attempts stop reasonably quickly. An empty room with an unlocked door is far less interesting than a room with the door locked. *From:*asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] *On Behalf Of *Rainer Piper *Sent:* Friday, October 03, 2014 1:53 PM *To:* Asterisk Users Mailing List - Non-Commercial Discussion *Subject:* Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ? the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354 callto:00972597438354 Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=00972597438354 callto:00972597438354 Oct 3 19:06:37 server /sbin/kamailio[3978]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=000972597438354 Oct 3 19:19:45 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=972597438354 Oct 3 19:32:59 server /sbin/kamailio[3978]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=*000972597438354 Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=100972597438354 Am 03.10.2014 um 14:52 schrieb Rainer Piper: Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen: On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote: Is the destination Number like Country Code +972? +972 59 xx(x) mobile - Jawall [moving to 7-digit subscriber numbers] source -http://www.wtng.info/wtng-972-il.html That page is slightly dated. +972 59 XXX are all the numbers in the Palestinian Authority (there are several providers besides Jawall). My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxx As a resident of +972 (+972-4), I'll just note that those hack attempts are typically related to PA numbers (+972-59) as rates there are higher. Hi Tzafrir, ok, the page www.wtng.info http://www.wtng.info is not really up to date. here some logs to see the variations of the attempt to dial over my proxy Oct 3 11:23:06 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=00972592910519 callto:00972592910519 Oct 3 11:42:52 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=972592910519 Oct 3 11:53:15 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=700972592910519 Oct 3 12:06:32 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=200972592910519 Oct 3 12:20:04 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=#00972592910519 callto:00972592910519 Oct 3 12:32:53 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=*000972592910519 Oct 3 12:45:35 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=*972592910519 Oct 3 12:57:42 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=900972592910519 Oct 3 13:09:37 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=7700972592910519 Oct 3 13:21:24 server /sbin/kamailio[7217]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=66600972592910519 Oct 3 13:33:11 server /sbin/kamailio[7218]: NOTICE: script: blocking IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=null rU=00972592910519 and the source IP 69.30.254.234 is coming from OrgName:WholeSale Internet, Inc. OrgId: WHOLE-125 Address:324 E. 11th St. Address:Suite 1000 City: Kansas City StateProv: MO PostalCode: 64106 Country:US very strange ;-) -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 callto:004922897167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de mailto:rai...@xmpp.soho-piper.de -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Hi Chris, yes ... it is boring ... I stop posting ... ;-) Am 03.10.2014 um 20:11 schrieb Chris Bagnall: On 3/10/14 6:52 pm, Rainer Piper wrote: the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354 callto:00972597438354 It's pretty much an everyday occurrence for any internet-connected SIP system these days... Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=100972597438354 Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP server(s) themselves. For example, the sipcli scans you listed above can be blocked fairly easily with: iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string sipcli -j DROP (obviously there are overheads to string searching UDP/5060 packets that you'll want to consider, and the above won't work if you're using sipcli legitimately anywhere on your network) Kind regards, Chris -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
just one more ;-) the source IP just changed to 142.0.41.179 OrgName:VolumeDrive OrgId: VOLUM-2 Address:1143 Northern Blvd City: Clarks Summit StateProv: PA PostalCode: 18411 Country:US and the destination Number to 972595632276 callto:00972595632276 Oct 3 20:26:37 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 142.0.41.179 sipcli/v1.8 rm=INVITE aU=null rU=+972595632276 callto:00972595632276 Am 03.10.2014 um 20:15 schrieb Rainer Piper: Hi Chris, yes ... it is boring ... I stop posting ... ;-) Am 03.10.2014 um 20:11 schrieb Chris Bagnall: On 3/10/14 6:52 pm, Rainer Piper wrote: the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354 callto:00972597438354 It's pretty much an everyday occurrence for any internet-connected SIP system these days... Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=100972597438354 Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP server(s) themselves. For example, the sipcli scans you listed above can be blocked fairly easily with: iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string sipcli -j DROP (obviously there are overheads to string searching UDP/5060 packets that you'll want to consider, and the above won't work if you're using sipcli legitimately anywhere on your network) Kind regards, Chris -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
There are lots of ways to solve this, and NOT to solve this. Don't start adding lots of rules to iptables (or deep per packet inspection requirements) as this will hurt capacity...and it doesn't really solve the problem Take a look at http://www.voip-info.org/wiki/view/Asterisk+security If you are running a small system I recommend trying the free version of SecAst. If you're running a larger PBX, the SecAst GeoIP blocking (deny/allow by country/city/etc) will remove 99% of the attacks. Take a good look at the page above for options...free/paid, software/hardware Michelle *All opinions are my own, and do not represent my employer. Since I'm employed by GenerationD, you can bet that my opinions are biased :) From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of Rainer Piper rainer.pi...@soho-piper.de Sent: Friday, October 3, 2014 2:15 PM To: Asterisk Users List Subject: Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ? Hi Chris, yes ... it is boring ... I stop posting ... ;-) Am 03.10.2014 um 20:11 schrieb Chris Bagnall: On 3/10/14 6:52 pm, Rainer Piper wrote: the attacking server changed the destination Number at 18:53 CEST and he is still blocked ... LOL 972597438354 callto:00972597438354callto:00972597438354 It's pretty much an everyday occurrence for any internet-connected SIP system these days... Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: script: blocking IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=null rU=100972597438354 Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP server(s) themselves. For example, the sipcli scans you listed above can be blocked fairly easily with: iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string sipcli -j DROP (obviously there are overheads to string searching UDP/5060 packets that you'll want to consider, and the above won't work if you're using sipcli legitimately anywhere on your network) Kind regards, Chris -- Rainer Piper Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.demailto:rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Am 01.10.2014 um 15:48 schrieb Gokan Atmaca: Someone reported me that from a PBX on which someone gained fraudulent access, he could observe hundreds of calls to the same destination number. For curiosity's sake, I'm wondering why would this happen (dialing the same number over and over) ? Some special numbers generate here and there revenues for callees (and not for callers). Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? In other words, in this case, is looking at callee number a promising path to find hackers ? Is there a bot virus ? Do you IP address restrictions ? I have one SIP Proxy without any outbound trunks/routing and this Proxy is just collecting bad source IPs and bad destination numbers for the database blacklist table and I use this blacklist table in my productive System. On Wed, Oct 1, 2014 at 4:36 PM, Administrator TOOTAI ad...@tootai.net wrote: Le 01/10/2014 11:40, Olivier a écrit : Hi, Hi Someone reported me that from a PBX on which someone gained fraudulent access, he could observe hundreds of calls to the same destination number. For curiosity's sake, I'm wondering why would this happen (dialing the same number over and over) ? Some special numbers generate here and there revenues for callees (and not for callers). Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? callee is also the bad men. Go and buy an 899 number in France, hack PBXS and call your number :-) [...] -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
On Thu, Oct 02, 2014 at 07:52:34AM +0200, Rainer Piper wrote: Is the destination Number like Country Code +972? +972 59 xx(x) mobile - Jawall [moving to 7-digit subscriber numbers] source - http://www.wtng.info/wtng-972-il.html That page is slightly dated. +972 59 XXX are all the numbers in the Palestinian Authority (there are several providers besides Jawall). My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxx As a resident of +972 (+972-4), I'll just note that those hack attempts are typically related to PA numbers (+972-59) as rates there are higher. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Is the destination Number like Country Code +972? +972 59 xx(x) mobile - Jawall [moving to 7-digit subscriber numbers] source - http://www.wtng.info/wtng-972-il.html My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxx I've seen that a very high percentage of the SIP probing my Asterisk system has seen over the past few years, consist of attempts to phone numbers in +972 (or, more generally, the West Bank and/or Gaza). It's consistent enough that I've set up a Fail2Ban rule which slaps a semi-permanent block on any IP address which tries this, even once. Since the last time I did a firewall-reset, the resulting iptables rules have blocked over 2000 call attempts (one attacker at 142.54.180.50 has tried over 1200 times). These attempts seem to come from all over the world... I'd guess that the majority are being sent through 'botted systems. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Le 01/10/2014 11:40, Olivier a écrit : Hi, Hi Someone reported me that from a PBX on which someone gained fraudulent access, he could observe hundreds of calls to the same destination number. For curiosity's sake, I'm wondering why would this happen (dialing the same number over and over) ? Some special numbers generate here and there revenues for callees (and not for callers). Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? callee is also the bad men. Go and buy an 899 number in France, hack PBXS and call your number :-) [...] -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Someone reported me that from a PBX on which someone gained fraudulent access, he could observe hundreds of calls to the same destination number. For curiosity's sake, I'm wondering why would this happen (dialing the same number over and over) ? Some special numbers generate here and there revenues for callees (and not for callers). Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? In other words, in this case, is looking at callee number a promising path to find hackers ? Is there a bot virus ? Do you IP address restrictions ? On Wed, Oct 1, 2014 at 4:36 PM, Administrator TOOTAI ad...@tootai.net wrote: Le 01/10/2014 11:40, Olivier a écrit : Hi, Hi Someone reported me that from a PBX on which someone gained fraudulent access, he could observe hundreds of calls to the same destination number. For curiosity's sake, I'm wondering why would this happen (dialing the same number over and over) ? Some special numbers generate here and there revenues for callees (and not for callers). Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? callee is also the bad men. Go and buy an 899 number in France, hack PBXS and call your number :-) [...] -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Am 01.10.2014 11:40, schrieb Olivier: Some special numbers generate here and there revenues for callees (and not for callers). Not just some, but ALL numbers generate revenue for the receiving telecom. (Ok ok, a few exceptions, in the US for example) This is how telecoms have been earning money, ever have been and will for a while longer until interconnection fees for incoming traffic will be dropped completely, it's a work in progress, especially in the EU. (Unfortunately) There are 2 schemes: 1) Not so popular, but it's on the rise in the last 1-2 years: get landline numbers in country xyz, strike a deal with the telco that owns these numbers so that they'll pass a bit of their revenue on to you, and find a way to call yourself for free or at a lower rate than these numbers pay (= abuse your unlimited subscriber plan). The revenue is usually in the area of 0.00x or even 0.000x per minute, depending on the country. 2) Just google International Premium Numbers, or short, IPRN. It's a whole world of its own. Revenue is much higher. These are not real numbers and they never have full worldwide connectivity. So the fraudster has 2 tasks: 1) find a carrier through which he can reach these numbers and 2) find a way to call these numbers at a lower rate than they pay out. 2) is usually accomplished by hacking PBXes (= free calls), fraudulent apps etc. There are tons of stories of abuse regarding IPRN out on the web, just research a bit (quite interesting actually). Some technical background information on 1) How does it work? Where does the revenue come from you might wonder? First to be said, it can never work without a fraudulent telecom operator that is part of the scheme. Imagine you are calling from France to Latvia. Let's say the call passes France, Switzerland, Czech Republic and then goes to Latvia. Each carrier on the path passes the call on to the next carrier. Now, let's say the carrier in the Czech Republic is the evil one. The call comes in, and they simply say: well, this Latvian number that you just called belongs to us, we terminate the call here and pick it up. Billing time starts. Now, they charge the Swiss telco for the incoming call to Latvia, of course. And the Swiss telco charges the French telecom. The French telecom charges their subscriber (e.g. hacked PBX). The call never makes it to Latvia! Now, the Czech Republic telco works together with an IPRN provider (or they run an evil IPRN service by themselves kind of anonymously). They pass a bit of the money they get from the Swiss telecom on to the IPRN owner (the fraudster) and keep the remaining money for themselves. Easy money! This is why IPRNs don't have worldwide connectivity and can usually never get called from within a country (path is too short, no fraudulent telecom in between). They can even be real numbers that belong to someone, in this case, in Latvia, it doesn't matter. All you need to be is an evil telco where calls transit through and you have it. How much do you pay to your normal landline telco for a call to Latvia? To a Latvian mobile number? Let it be 0.25 EUR per minute. Thats what the subscriber pays, the Swiss telecom gets 0.22 of that, the Czech telco 0.20 and the fraudster 0.11. Just an example - margins are always high with IPRNs. Now you can simply do the same not with Latvia but with faaar away countries, islands (!) where calling to is even more expensive and your margins will go waaay up. Just to be clear: it's totally legit to earn money on incoming calls, this is the main income source for telcos all over the world. But abusing your unlimited plan and running IPRNs is not that legit I'd say. :) Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? I don't see another reason. In other words, in this case, is looking at callee number a promising path to find hackers ? Not in my experience. Since the fraudulent telcos work together with the IPRN owners you won't succeed. Must be a large-scale fraud scheme with millions of EURs lost for some authority to investigate properly. Plus, the IPRN owners even can get paid via Western Union etc. from the IPRN service, so all they need is a stolen/fake passport... so you are not left with much except maybe their IP address which, of course, if they are not totally dumb, isn't theirs. Gotta get in touch with some law enforcement agency and then catch them when they pick up the money at the Western Union counter. I should write a book about that. :P Cheers Markus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit:
Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?
Am 01.10.2014 um 18:19 schrieb Markus: Am 01.10.2014 11:40, schrieb Olivier: Some special numbers generate here and there revenues for callees (and not for callers). Not just some, but ALL numbers generate revenue for the receiving telecom. (Ok ok, a few exceptions, in the US for example) This is how telecoms have been earning money, ever have been and will for a while longer until interconnection fees for incoming traffic will be dropped completely, it's a work in progress, especially in the EU. (Unfortunately) There are 2 schemes: 1) Not so popular, but it's on the rise in the last 1-2 years: get landline numbers in country xyz, strike a deal with the telco that owns these numbers so that they'll pass a bit of their revenue on to you, and find a way to call yourself for free or at a lower rate than these numbers pay (= abuse your unlimited subscriber plan). The revenue is usually in the area of 0.00x or even 0.000x per minute, depending on the country. 2) Just google International Premium Numbers, or short, IPRN. It's a whole world of its own. Revenue is much higher. These are not real numbers and they never have full worldwide connectivity. So the fraudster has 2 tasks: 1) find a carrier through which he can reach these numbers and 2) find a way to call these numbers at a lower rate than they pay out. 2) is usually accomplished by hacking PBXes (= free calls), fraudulent apps etc. There are tons of stories of abuse regarding IPRN out on the web, just research a bit (quite interesting actually). Some technical background information on 1) How does it work? Where does the revenue come from you might wonder? First to be said, it can never work without a fraudulent telecom operator that is part of the scheme. Imagine you are calling from France to Latvia. Let's say the call passes France, Switzerland, Czech Republic and then goes to Latvia. Each carrier on the path passes the call on to the next carrier. Now, let's say the carrier in the Czech Republic is the evil one. The call comes in, and they simply say: well, this Latvian number that you just called belongs to us, we terminate the call here and pick it up. Billing time starts. Now, they charge the Swiss telco for the incoming call to Latvia, of course. And the Swiss telco charges the French telecom. The French telecom charges their subscriber (e.g. hacked PBX). The call never makes it to Latvia! Now, the Czech Republic telco works together with an IPRN provider (or they run an evil IPRN service by themselves kind of anonymously). They pass a bit of the money they get from the Swiss telecom on to the IPRN owner (the fraudster) and keep the remaining money for themselves. Easy money! This is why IPRNs don't have worldwide connectivity and can usually never get called from within a country (path is too short, no fraudulent telecom in between). They can even be real numbers that belong to someone, in this case, in Latvia, it doesn't matter. All you need to be is an evil telco where calls transit through and you have it. How much do you pay to your normal landline telco for a call to Latvia? To a Latvian mobile number? Let it be 0.25 EUR per minute. Thats what the subscriber pays, the Swiss telecom gets 0.22 of that, the Czech telco 0.20 and the fraudster 0.11. Just an example - margins are always high with IPRNs. Now you can simply do the same not with Latvia but with faaar away countries, islands (!) where calling to is even more expensive and your margins will go waaay up. Just to be clear: it's totally legit to earn money on incoming calls, this is the main income source for telcos all over the world. But abusing your unlimited plan and running IPRNs is not that legit I'd say. :) Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ? I don't see another reason. In other words, in this case, is looking at callee number a promising path to find hackers ? Not in my experience. Since the fraudulent telcos work together with the IPRN owners you won't succeed. Must be a large-scale fraud scheme with millions of EURs lost for some authority to investigate properly. Plus, the IPRN owners even can get paid via Western Union etc. from the IPRN service, so all they need is a stolen/fake passport... so you are not left with much except maybe their IP address which, of course, if they are not totally dumb, isn't theirs. Gotta get in touch with some law enforcement agency and then catch them when they pick up the money at the Western Union counter. I should write a book about that. :P Cheers Markus Is the destination Number like Country Code +972? +972 59 xx(x) mobile - Jawall [moving to 7-digit subscriber numbers] source - http://www.wtng.info/wtng-972-il.html My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxx This is my log from this