On 3 February 2012 22:41, <[email protected]> wrote: > What does your whole REGISTER route look like? Maybe you are missing > something in there and it is allowing someone to register even thought the > password is wrong. > >
Definitely an issue with your script. Somewhere in there you are rejecting credentials but carrying on anyway... > > > > On , James Lamanna <[email protected]> wrote: > > Hi, > > > > I know the phones are not on public IPs. > > > > Here is a opensips log of an attacker successfully registering > > > > (hashes have been scrubbed) > > > > > > > > > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:tm:t_newtran: transaction on entrance=(nil) > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:parse_headers: flags=ffffffffffffffff > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:parse_headers: flags=78 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:tm:t_lookup_request: start searching: hash=22639, isACK=0 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:tm:t_lookup_request: proceeding to pre-RFC3261 transaction > > > > matching > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:tm:t_lookup_request: no transaction found > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:tm:run_reqin_callbacks: trans=0x2b9c44a2a3e0, callback type 1, id > > > > 0 entered > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:auth:check_nonce: comparing > > > > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] and > > > > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:has_stmt_ctx: ctx found for subscriber > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_do_prepared_query: conn=0x7ee8c0 (tail=8315728) > > > > MC=0x7ee3b0 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_do_prepared_query: set values for the statement > > > > run > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_val2bind: added val (0): len=5; type=254; > > > > is_null=0 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in... > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 1 > > > > columns in result > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_new_result: allocate 48 bytes for result set at 0x7f2200 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_get_columns: 1 columns returned from the query > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_allocate_columns: allocate 28 bytes for result columns at > > > > 0x7f55a8 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x7f55b0)[0]=[password] > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_allocate_rows: allocate 48 bytes for result rows and > > > > values at 0x7fa080 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:db_mysql:db_mysql_str2val: converting STRING [........] > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:auth_db:get_ha1: HA1 string calculated: ....7ee7c3 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:auth:check_response: our result = ....7f340e' > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:auth:check_response: their response = '.....7f340e", > > > > algorithm=MD5#015#012User-Agent: VaxSIPUserAgent/3.0#015#012Expires: > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:auth:check_response: authorization is OK > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:auth:post_auth: nonce index= 3171 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_free_columns: freeing result columns at 0x7f55a8 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_free_rows: freeing 1 rows > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_free_row: freeing row values at 0x7fa090 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_free_rows: freeing rows at 0x7fa080 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: > > > > DBG:core:db_free_result: freeing result set at 0x7f2200 > > > > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: Auth > > > > attempt for [email protected] from 74.204.92.217 on port 5060 ret 1 > > > > > > > > -- James > > > > > > > > On Thu, Feb 2, 2012 at 12:08 AM, Dovid Bender [email protected]> wrote: > > > > > James, > > > > > > > > > > > > > > > We have found with out users that some of them put the phones on public > > > > > IP’s. If the default password is not changed, no matter how hard the > > > > > password is they will get in. Also try using characters like “@:^#” in > your > > > > > passwords. > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > > > Dovid > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > From: [email protected] > > > > > [mailto:[email protected]] On Behalf Of aws j > > > > > Sent: Thursday, February 02, 2012 06:08 > > > > > To: OpenSIPS users mailling list > > > > > Subject: Re: [OpenSIPS-Users] SIP Authentication Attacks > > > > > > > > > > > > > > > > > > > > Dear Mr James > > > > > Can you attached to me your suspect file to make VoIP forensic on it . > > > > > thanks > > > > > Aws > > > > > Msc VoIP security > > > > > > > > > > 2012/2/1 James Lamanna [email protected]> > > > > > > > > > > Hi, > > > > > I've noticed lately that a server of mine is getting repeatedly hit by > > > > > an attacker trying to make international calls. > > > > > The scary part is that the attacker seems to be able to register > > > > > correctly on different extensions, even though each extension has a > > > > > different, random password. > > > > > I'm not sure how the attacker is getting the passwords or if there's a > > > > > man-in-the-middle attack going on, but I would like some suggestions > > > > > on how to increase the security of SIP authentication in opensips. > > > > > I could enforce security through IP addresses, but I fear that will > > > > > become quite cumbersome. > > > > > > > > > > Thanks. > > > > > > > > > > -- James > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > [email protected] > > > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > [email protected] > > > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > > > > > > > > _______________________________________________ > > > > Users mailing list > > > > [email protected] > > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
