Nick Khamis
2013-Jan-06 23:36 UTC
[asterisk-users] Malicious traffic comming from 37.75.210.90
Hello Osama, and Hisham, At 1330GMT there was some malicious activity coming from your network IP 37.75.210.90. Please act accordingly. Things that may be of use "972599779558" N.
Philip Prindeville
2013-Aug-06 19:14 UTC
[asterisk-users] Paltel subscribers as called parties for SIP attacks (was: Malicious traffic comming from 37.75.210.90)
For what it's worth, I see similar traffic regularly from: orange.ps hadara.ps ovh.net iweb.ca scalabledns.com securedservers.com wholesaleinternet.com hostnoc.net rackspace.com hetzner.de all going to 972-59-* numbers (i.e. Paltel/Jawal mobile customers). Common numbers are: 972592871970 972597562803 972592170729 972595936848 972599532957 972592170729 972592539831 972592910519 972592577022 972592648299 972599146173 972592264761 972592600109 972598285108 972592910519 972599463826 972597072204 972599327923 972595813485 972598642462 972598431470 972598372537 972597248231 972598431470 ? Now some of these numbers have been short-lived, others have been in use more than 2 years, like 972597562803 which seems to be sloppy tradecraft. Why would an internet subscriber from hadara.ps, for instance, want to call a Paltel mobile user via some remotely hacked SIP PBX thousands of miles away given than Paltel is partially owned by Hadara Technology Investment Co. (and Paltel leases long-haul infrastructure from Hadara anyway)? http://en.wikipedia.org/wiki/Paltel Well, if the Paltel subscriber were actually abroad? say in the US or Algeria or the Philippines, but he didn't want to risk the longest arm of the call being intercepted by Echelon or similar means, then he'd find an ISP in the country which he knew that subscriber to currently be in, and scan its CIDR blocks for insecure SIP PBX's to use to contact the mobile user? relying on domestic privacy protections to inhibit spying on internal traffic to that country. Perhaps Hadara (or a Hamas cell operating within Hadara) has moved from psyops to more overt means: http://blogs.norman.com/2012/security-research/cyberattack-against-israeli-and-palestinian-targets-for-a-year I'm surprised that DHS hasn't taken more interest in this. Or perhaps they already have, and are operating deliberately insecure PBX's as honeypots. Coming soon to your AGPS+ coordinates: a Predator drone? In any case, with all the SIP (and other) abuse I've received from Hadara.ps, they've never once acknowledged a complaint I've sent in? which seems to be tacit approval of the practice. I'd be curious to know what everyone else's experiences have been like, and why 95% or better of the SIP attacks on my PBX are destined for Paltel mobile subscribers. Given the number of inhabitants in Gaza, it seems like a statistical improbability. Certainly not random distribution. On Jan 6, 2013, at 4:36 PM, Nick Khamis <symack at gmail.com> wrote:> Hello Osama, and Hisham, > > At 1330GMT there was some malicious activity coming from your network > IP 37.75.210.90. Please act accordingly. Things that may be of use > "972599779558" > > N. >