Steve Murphy
2010-Nov-07 14:11 UTC
[asterisk-users] Why are the hackers scanning for these?
Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples: 2648061411 3190339404 2685608247 3358171034 2092652562 2206598858 Just trying to follow the advice: "Know thy Enemy" murf Steve Murphy ParseTree Corp. 57 Lane 17 Cody, WY 82414 ? murf at parsetree.com ? 307-899-5535 Signature powered by <http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> WiseStamp<http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101107/9f6a9fd1/attachment.htm
> Here's some examples:>2648061411 >3190339404I'm getting exactly the same. Odds of getting a working number, are like the odds of winning the lottery. My guess is they are either trying to find a voip trunk, or they are trying to make cold calls to the extensions on my system. Sales or something similar. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101107/77c60c95/attachment.htm
My guess is they are looking for 10 digit phone numbers as extensions. Are they all from 1 IP address or from many? If from many, they are likely many serial scan or from a list of suspected VOIP numbers. If from one, and that random, then from a list of suspected VOIP numbers. Since you listed a phone number as part of your signature? I might guess hackers might soon add that number to a scan list. It is one thing to randomly run 2,XXX-,XXXX to 999-999-9999, with skips for the ?dead zones,? (0-XXX-XXX-XXXX) etc. but another to hit suspected VOIP numbers. Cary Fitch _____ From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Murphy Sent: Sunday, November 07, 2010 8:12 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Why are the hackers scanning for these? Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples: 2648061411 3190339404 2685608247 3358171034 2092652562 2206598858 Just trying to follow the advice: "Know thy Enemy" murf Steve Murphy ParseTree Corp. 57 Lane 17 Cody, WY 82414 ? murf at parsetree.com ? 307-899-5535 <http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> Signature powered by <http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> WiseStamp <http://s.wisestamp.com/pixel.png?p=mozilla&v=2.0.3&t=1289138760949&u=949715&e=4286> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101107/71badb8c/attachment.htm
Barry Miller
2010-Nov-07 15:27 UTC
[asterisk-users] Why are the hackers scanning for these?
On Sun, Nov 07, 2010 at 07:11:43AM -0700, Steve Murphy wrote:> Hey, I'm going thru logs, and I see some very common and interesting things > that the hackers are looking for. > > In a whole bunch of scans, I've noticed that the first guess or two for sip > accounts > is usually a 10-digit number. I'm asking myself, why these numbers? Are they > looking > for a voip trunk? Or is it just like a serial number for the scan? What?It's SIPVicious. Before it starts its sequential scan, it makes sure that it can tell the difference between a valid peer and an unknown one. It tries two random peers, expecting a 404 response to at least one (most likely both) of them. Then, if it later gets a 401 during the sequential scan, it knows it's found a good peer name that can be targeted for password guessing. On the other hand, if both random guesses elicit 401 responses to REGISTERs, it knows that it can't winnow out the real peers, and (normally) just gives up right there. That's why 'alwaysauthreject' is so effective at stopping the attacks (as opposed to blocking them). But if the attacker uses the '--force' option, which causes the scan to press on regardless, or something other than SIPVicious, only something like fail2ban will help, but that won't save your bandwidth like 'alwaysauthreject' will. -- Barry