On Wed, Nov 28, 2012 at 7:45 PM, J Gao <jgao at veecall.com>
wrote:> This morning someone tried to make sip call through my Asterisk. My server
> just drop these calls and record them in CDR with IP address:
>
> 2012-11-28 06:30:51 SIP/216... 1000 "1000"
<1000>
> Hangup 999011972592249388 ANSWERED 00:01 Hacker:
> 168.63.67.239
> 2. 2012-11-28 06:30:49 SIP/216... 1000 "1000"
<1000>
> Hangup 88011972592249388 ANSWERED 00:01 Hacker:
> 168.63.67.239
> 3. 2012-11-28 06:30:46 SIP/216... 1000 "1000"
<1000>
> Answer 99011972592249388 ANSWERED 00:02
> 4. 2012-11-28 06:30:43 SIP/216... 1000 "1000"
<1000>
> Answer 1011972592249388 ANSWERED 00:02
> 5. 2012-11-28 06:30:39 SIP/216... 1000 "1000"
<1000>
> Hangup 2011972592249388 ANSWERED 00:00 Hacker:
> 168.63.67.239
> 6. 2012-11-28 06:30:33 SIP/216... 1000 "1000"
<1000>
> Hangup 7011972592249388 ANSWERED 00:01 Hacker:
> 168.63.67.239
> 7. 2012-11-28 06:30:30 SIP/216... 1000 "1000"
<1000>
> Answer 8011972592249388 ANSWERED 00:03
> 8. 2012-11-28 06:30:27 SIP/216... 1000 "1000"
<1000>
> Hangup 9011972592249388 ANSWERED 00:06 Hacker:
> 168.63.67.239
> 9. 2012-11-28 06:30:25 SIP/216... 1000 "1000"
<1000>
> Answer 011972592249388 ANSWERED 00:07
>
> Now I noticed something interesting: The hacker's IP address:
168.63.67.239
>
> whois gave me:
> NetRange: 168.61.0.0 - 168.63.255.255
> CIDR: 168.61.0.0/16, 168.62.0.0/15
> OriginAS:
> NetName: MSFT-EP
> NetHandle: NET-168-61-0-0-1
> Parent: NET-168-0-0-0-0
> NetType: Direct Assignment
> RegDate: 2011-06-22
> Updated: 2012-10-16
> Ref: http://whois.arin.net/rest/net/NET-168-61-0-0-1
>
> OrgName: Microsoft Corp
> OrgId: MSFT-Z
> Address: One Microsoft Way
> City: Redmond
> StateProv: WA
> PostalCode: 98052
> Country: US
> RegDate: 2011-06-22
> Updated: 2011-06-22
> Ref: http://whois.arin.net/rest/org/MSFT-Z
>
>
> hmmmmmmm.... Did I just hacked by Micro$oft?
>
> Gao
>
http://iplocation.truevue.org/168.63.67.239.html