asterisk users - Aug 2010 - Attempted SIP connection by foreign host. Help!

Say,

I just picked this up on my messages!

There are a whole host of these requests!
Anyone know whow there people are? Is there a way to report them?
Any suggestions as to how to block them?

[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password
[Aug 23 10:34:17] NOTICE[1010] chan_sip.c: Registration from
'"912" <sip:1 at 41.1.1.1>' failed for
'184.106.217.112' - Wrong password

C:\>tracert 184.106.217.112

Tracing route to 184-106-217-112.static.cloud-ips.com [184.106.217.112]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  192.168.10.199
  2     5 ms     3 ms     2 ms  192.168.1.197
  3    11 ms    14 ms     8 ms  196-210-138-1.dynamic.isadsl.co.za
[196.210.138.1]
  4    14 ms     9 ms    11 ms  cdsl1-rba-vl2360.ip.isnet.net [196.38.73.133]
  5    10 ms     9 ms     9 ms  cdsl1-rba-vl150.ip.isnet.net [196.38.73.17]
  6    11 ms    10 ms    12 ms  core2b-rba-te2-0-1.ip.isnet.net [168.209.1.182]
  7   183 ms   182 ms   183 ms  mi-za-rba-p6-gi3-0-2-102.ip.isnet.net
[168.209.164.13]
  8   179 ms   182 ms   180 ms  mi-uk-dock-p2-po3-0-2.ip.isnet.net
[168.209.163.3]
  9   179 ms   178 ms   178 ms  core2a-dock-gi1-0-19-102.ip.isnet.net
[168.209.164.56]
 10   180 ms   180 ms   180 ms  168.209.246.1
 11   233 ms   255 ms   233 ms  ge-2-1-0.mpr1.lhr2.uk.above.net [195.66.224.76]
 12   216 ms   214 ms   221 ms  ge-5-1-0.mpr1.lhr2.uk.above.net [64.125.27.149]
 13   276 ms   280 ms   283 ms  so-0-1-0.mpr1.dca2.us.above.net [64.125.27.57]
 14   269 ms   264 ms   260 ms  so-0-1-0.mpr1.lga5.us.above.net [64.125.26.98]
 15   282 ms   291 ms   294 ms  xe-0-3-0.cr1.lga5.us.above.net [64.125.29.49]
 16   323 ms   341 ms   295 ms  xe-0-2-0.cr1.ord2.us.above.net [64.125.27.169]
 17   307 ms   292 ms   293 ms  xe-1-1-0.er1.ord7.above.net [64.125.26.250]
 18   314 ms   308 ms   314 ms  64.124.65.218.allocated.above.net
[64.124.65.218]
 19   321 ms   315 ms   438 ms  core1-ed2-edge3.ord1.rackspace.net
[173.203.0.109]
 20   310 ms   302 ms   294 ms  core1-aggr301a-2.ord1.rackspace.net
[173.203.0.173]
 21   288 ms   296 ms   302 ms  184-106-217-112.static.cloud-ips.com
[184.106.217.112]

Trace complete.


Thanks Shaun
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100824/24898655/attachment.htm

On Tue, 2010-08-24 at 14:53 +0200, Shaun Wingrin wrote:
> Say,
>  
> I just picked this up on my messages!
>  
> There are a whole host of these requests!
> Anyone know whow there people are? Is there a way to report them?
> Any suggestions as to how to block them?
>  
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
> [Aug 23 10:34:17] NOTICE[1010] chan_sip.c: Registration from
'"912"
> <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong
password
>  
> C:\>tracert 184.106.217.112
>  
> Tracing route to 184-106-217-112.static.cloud-ips.com
> [184.106.217.112]
> over a maximum of 30 hops:
>  
>   1     2 ms     1 ms     1 ms  192.168.10.199
>   2     5 ms     3 ms     2 ms  192.168.1.197
>   3    11 ms    14 ms     8 ms  196-210-138-1.dynamic.isadsl.co.za
> [196.210.138.1]
>   4    14 ms     9 ms    11 ms  cdsl1-rba-vl2360.ip.isnet.net
> [196.38.73.133]
>   5    10 ms     9 ms     9 ms  cdsl1-rba-vl150.ip.isnet.net
> [196.38.73.17]
>   6    11 ms    10 ms    12 ms  core2b-rba-te2-0-1.ip.isnet.net
> [168.209.1.182]
>   7   183 ms   182 ms   183 ms  mi-za-rba-p6-gi3-0-2-102.ip.isnet.net
> [168.209.164.13]
>   8   179 ms   182 ms   180 ms  mi-uk-dock-p2-po3-0-2.ip.isnet.net
> [168.209.163.3]
>   9   179 ms   178 ms   178 ms  core2a-dock-gi1-0-19-102.ip.isnet.net
> [168.209.164.56]
>  10   180 ms   180 ms   180 ms  168.209.246.1
>  11   233 ms   255 ms   233 ms  ge-2-1-0.mpr1.lhr2.uk.above.net
> [195.66.224.76]
>  12   216 ms   214 ms   221 ms  ge-5-1-0.mpr1.lhr2.uk.above.net
> [64.125.27.149]
>  13   276 ms   280 ms   283 ms  so-0-1-0.mpr1.dca2.us.above.net
> [64.125.27.57]
>  14   269 ms   264 ms   260 ms  so-0-1-0.mpr1.lga5.us.above.net
> [64.125.26.98]
>  15   282 ms   291 ms   294 ms  xe-0-3-0.cr1.lga5.us.above.net
> [64.125.29.49]
>  16   323 ms   341 ms   295 ms  xe-0-2-0.cr1.ord2.us.above.net
> [64.125.27.169]
>  17   307 ms   292 ms   293 ms  xe-1-1-0.er1.ord7.above.net
> [64.125.26.250]
>  18   314 ms   308 ms   314 ms  64.124.65.218.allocated.above.net
> [64.124.65.218]
>  19   321 ms   315 ms   438 ms  core1-ed2-edge3.ord1.rackspace.net
> [173.203.0.109]
>  20   310 ms   302 ms   294 ms  core1-aggr301a-2.ord1.rackspace.net
> [173.203.0.173]
>  21   288 ms   296 ms   302 ms  184-106-217-112.static.cloud-ips.com
> [184.106.217.112]
>  
> Trace complete.
> 
> 
> Thanks Shaun
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
Hi Shaun

we had something similar a few weeks back, some people are using
sipvicious to try to get into a SIP account.

There is some very good advice to follow here

http://blogs.digium.com/2009/03/28/sip-security/



-- 
Ishfaq Malik
Software Developer
PackNet Ltd

Office:   0161 660 3062

On Tue, 24 Aug 2010, Shaun Wingrin wrote:
> Say,
>
> I just picked this up on my messages!
>
> There are a whole host of these requests!
> Anyone know whow there people are? Is there a way to report them?
> Any suggestions as to how to block them?
Why don't you read the fine archives?

This has been going on for months to almost everyone.
> Tracing route to 184-106-217-112.static.cloud-ips.com [184.106.217.112]
Oh look, yet another "cloud" provider has had one of their servers
hacked.

Google for sipvicious if you want to know what they're using - and, I'm 
told, they're doing this to try to get free calls - surprise.

If you search the archives you'll find plenty of solutions - the best is 
to have good, secure passwords which are not susceptable to a dictionary 
attack. There are also things like fail2ban which will hopefully detect an 
attack and block it - however some older versions of sipvicious will 
simply carry on scanning and trying, even though you're firewalled out, so 
it'll still consume bandwidth.

I'm sure the author of sipvicious (who reads this list) probably didn't 
intend it to be used as a stealing tool, but if he hadn't written it, 
someone else would have.

Gordon