Re: [asterisk-users] Numbers hackers call
On 03/26/2014 05:05 PM, Michelle Dupuis wrote: I see a lot of attempts by hackers to call 00972595301123 or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... Those lame hacking attempts aren't the big issue - unless you have an insecure SIP-PBX. Germany just got hit with a wave of hacks of Fritz!Box home routers with integrated SIP, causing hundreds of thousands in damage. The big issue is that the ISPs worldwide don't give a crap about complaints! And that's not only some backwater-ISPs in some 3rd world countries! It's mainly the big names, like Hetzner, L3, etc. who - oh well, yeah - send you an autoreply but in the end don't bother doing anything. Just recently was an article, again in a German IT-newsticker, about Hetzner's abuse handling. They just forward the complaint to their customer, including full contact data - which is pretty much illegal (privacy protection, etc.) - but they don't follow up. I got so fed up that I now put the top 20 of attacking IPs to my website... Current top 5: 1. iWeb (Canada) 2. Level 3 (USA) 3. Dacom (S-Korea) 4. Intergenia (Germany) 5. OVH (France) See http://stefan.gofferje.net/it-stuff/sipfraud Really, if everybody would run statistics on attacks and publish them, those ISPs would pretty quickly not only start reacting to fouled servers but probably start monitoring proactively because being in the top 20 of attacker-IPs ain't good for their reputation... -S -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
I have an iptables file which blocks all traffic except traffic from networks allocated by ARIN or are Legacy networks. I pulled the information from http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml My iptables script can be found at the link below. http://help.nyigc.net/tmp/iptables_geoblock It might be helpful to someone. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Stefan Gofferje Sent: Thursday, March 27, 2014 2:13 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Numbers hackers call On 03/26/2014 05:05 PM, Michelle Dupuis wrote: I see a lot of attempts by hackers to call 00972595301123 or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... Those lame hacking attempts aren't the big issue - unless you have an insecure SIP-PBX. Germany just got hit with a wave of hacks of Fritz!Box home routers with integrated SIP, causing hundreds of thousands in damage. The big issue is that the ISPs worldwide don't give a crap about complaints! And that's not only some backwater-ISPs in some 3rd world countries! It's mainly the big names, like Hetzner, L3, etc. who - oh well, yeah - send you an autoreply but in the end don't bother doing anything. Just recently was an article, again in a German IT-newsticker, about Hetzner's abuse handling. They just forward the complaint to their customer, including full contact data - which is pretty much illegal (privacy protection, etc.) - but they don't follow up. I got so fed up that I now put the top 20 of attacking IPs to my website... Current top 5: 1. iWeb (Canada) 2. Level 3 (USA) 3. Dacom (S-Korea) 4. Intergenia (Germany) 5. OVH (France) See http://stefan.gofferje.net/it-stuff/sipfraud Really, if everybody would run statistics on attacks and publish them, those ISPs would pretty quickly not only start reacting to fouled servers but probably start monitoring proactively because being in the top 20 of attacker-IPs ain't good for their reputation... -S -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler Koch - the original point and click interface -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
On 03/27/2014 08:36 PM, Eric Wieling wrote:
I have an iptables file which blocks all traffic except traffic from networks
allocated by ARIN or are Legacy networks. I pulled the information from
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
My iptables script can be found at the link below.
http://help.nyigc.net/tmp/iptables_geoblock
It might be helpful to someone.
Below's my solution. I specifically block China, Korea and Palestine.
That already massively reduced my amount of attacks. I can't block as
much as you because I do allow unregistered inbound SIP calls to
sip:ste...@home.mylastname.net. CN, KR and PS are currently the only
attack origins from where I wouldn't expect legit inbound traffic.
Here's my script (pulls data from ipdeny.com). The script is called in
my primary IPTABLES script after flushing and before my specific ruleset.
And it runs on my perimeter firewall.
WARNING: That's about 5000 networks to stuff into the tables! My fw is a
Phenom 8650 3-core machine and it takes about 8.5 minutes to stuff all
the rules into the kernel!
#!/bin/bash
IPTABLES=/sbin/iptables
ANY=0.0.0.0/0
BLOCKDIR=blocklist.d
if ! test -d ${BLOCKDIR}; then
mkdir ${BLOCKDIR}
fi
DATE=$(date)
echo Country blocking rules...
echo Downloading rules...
curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone -o
${BLOCKDIR}/cn.zone || echo Warning: Couldn't download CN zone
curl -s http://www.ipdeny.com/ipblocks/data/countries/kr.zone -o
${BLOCKDIR}/kr.zone || echo Warning: Couldn't download KR zone
curl -s http://www.ipdeny.com/ipblocks/data/countries/ps.zone -o
${BLOCKDIR}/ps.zone || echo Warning: Couldn't download PS zone
echo Done downloading. Setting rules...
for FILE in ${BLOCKDIR}/*zone; do
for ADDRESS in $(cat ${FILE}); do
echo Blocking network: ${ADDRESS}...
$IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j DROP
$IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j LOG --log-prefix
Packet log: COUNTRY DROP
$IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j DROP
$IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j LOG --log-prefix
Packet log: COUNTRY DROP
done
done
echo Done. Started: ${DATE}, finished: $(date)
--
(o_ Stefan Gofferje| SCLT, MCP, CCSA
//\ Reg'd Linux User #247167 | VCP #2263
V_/_ Heckler Koch - the original point and click interface
smime.p7s
Description: S/MIME Cryptographic Signature
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
972 is Israel See: http://en.wikipedia.org/wiki/List_of_country_calling_codes#Ordered_by_code -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Michelle Dupuis Sent: Wednesday, March 26, 2014 11:05 AM To: Asterisk Users List Subject: [asterisk-users] Numbers hackers call I see a lot of attempts by hackers to call 00972595301123 or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
On 03/26/2014 10:05 AM, Michelle Dupuis wrote: I see a lot of attempts by hackers to call 00972595301123or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... I show that as Israel Cellular Jawall. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
Hi The 11 bit is them thinking there's some prefix which will cause your PBX to become an open relay. The number (97259) is a Palestine Mobile number. These's a lot of hacking attempts coming from Palestine and this type of number probably has some revenue generation properties to it. Regards Ish On 26 March 2014 15:05, Michelle Dupuis mdup...@ocg.ca wrote: I see a lot of attempts by hackers to call 00972595301123 or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Ishfaq Malik Department: VOIP Support Company: Packnet Limited t: +44 (0)845 004 4994 f: +44 (0)161 660 9825 e: i...@pack-net.co.uk w: http://www.pack-net.co.uk Registered Address: PACKNET LIMITED, Duplex 2, Ducie House 37 Ducie Street Manchester, M1 2JW COMPANY REG NO. 04920552 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
http://en.wikipedia.org/wiki/Telephone_numbers_in_Israel Looks like it a mobile in Palestine - sure someone from Israel can tell us more 2014-03-26 16:05 GMT+01:00 Michelle Dupuis mdup...@ocg.ca: I see a lot of attempts by hackers to call 00972595301123 or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Loway - home of QueueMetrics - http://queuemetrics.com Try the WombatDialer auto-dialer @ http://wombatdialer.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
The number is not important i think. You need to block those country's you never use to connect to your asterisk system. I bet this call is made from palestine/israel too. Best regards. Emiliano Enviado desde mi BlackBerry de Personal (http://www.personal.com.ar/) -Original Message- From: Lenz Emilitri lenz.lo...@gmail.com Sender: asterisk-users-bounces@lists.digium.comDate: Wed, 26 Mar 2014 16:14:02 To: Asterisk Users Mailing List - Non-Commercial Discussionasterisk-users@lists.digium.com Reply-To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Numbers hackers call http://en.wikipedia.org/wiki/Telephone_numbers_in_Israel Looks like it a mobile in Palestine - sure someone from Israel can tell us more 2014-03-26 16:05 GMT+01:00 Michelle Dupuis mdup...@ocg.ca: I see a lot of attempts by hackers to call 00972595301123 or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Loway - home of QueueMetrics - http://queuemetrics.com Try the WombatDialer auto-dialer @ http://wombatdialer.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
On 26 Mar 2014, at 15:05, Michelle Dupuis mdup...@ocg.ca wrote: I see a lot of attempts by hackers to call 00972595301123 or 011972595115207 or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... It’s an international call to +972595XX, tried with the 00, 001 and no prefix What is confusing? Steve-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
If this is to 972 area code then the next digits should be 0X or 0XX but they are not. This differs from what I found documented for that area code - I thought someone from the region might add to the discussion. Not sure if this reflected a premium service etc. (But someone jumped in with an explanation) I'm guessing you have nothing to add to the discussion? From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of Steven Howes steve-li...@geekinter.net Sent: Wednesday, March 26, 2014 12:13 PM To: Asterisk Users List Subject: Re: [asterisk-users] Numbers hackers call On 26 Mar 2014, at 15:05, Michelle Dupuis mdup...@ocg.camailto:mdup...@ocg.ca wrote: I see a lot of attempts by hackers to call 00972595301123? or 011972595115207? or variations but that same 972595 is often present. Can someone break down that dial string with an explanation? The 011 look like an overseas call (from Americas), while the 972595XX is unclear... It's an international call to +972595XX, tried with the 00, 001 and no prefix What is confusing? Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
On 26 Mar 2014, at 16:20, Michelle Dupuis mdup...@ocg.ca wrote: If this is to 972 area code then the next digits should be 0X or 0XX but they are not. This differs from what I found documented for that area code - I thought someone from the region might add to the discussion. Not sure if this reflected a premium service etc. (But someone jumped in with an explanation) I never mentioned the 972 area code. It’s a country code - and as others have said it’s been mapped to a Palestinian mobile network. I’ve added this to my bar list - I’ve seen quite a lot of toll fraud to Palestine (and the middle east in general in recent months). If you’re referring to country code, then the 0 of the local number is dropped when dialled internationally, see: https://en.wikipedia.org/wiki/Telephone_numbers_in_Israel I'm guessing you have nothing to add to the discussion? Think what you will. Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
On 3/26/2014 12:20 PM, Michelle Dupuis wrote: If this is to 972 area code then the next digits should be 0X or 0XX but they are not. This differs from what I found documented for that area code - I thought someone from the region might add to the discussion. Not sure if this reflected a premium service etc. (But someone jumped in with an explanation) 0X or 0XX is only if you're in country and need to dial with the 0 national trunk code (much like dialing 1+ in the US for an in country but long distance call). Someone dialing from outside the country doesn't need to add the zero, so they just use the 972 country code + 59 prefix. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
On Wed, 26 Mar 2014 16:20:58 + Michelle Dupuis mdup...@ocg.ca wrote: If this is to 972 area code then the next digits should be 0X or 0XX but they are not. You never dial the local trunk prefix when you're calling internationally. -- C. Chad Wallace, B.Sc. The Lodging Company http://www.lodgingcompany.com/ OpenPGP Public Key ID: 0x262208A0 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Numbers hackers call
-Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chad Wallace Sent: Wednesday, March 26, 2014 6:31 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Numbers hackers call If this is to 972 area code then the next digits should be 0X or 0XX but they are not. On Wed, 26 Mar 2014 16:20:58 + Michelle Dupuis mdup...@ocg.ca wrote: You never dial the local trunk prefix when you're calling internationally. Italy is the only exception where dialing from outside the country requires the leading 0, but that is because the leading 0 isn't used as a trunk prefix The ITU provides copies of each country's dialing plan for free at http://www.itu.int/oth/T0202.aspx?parent=T0202#A -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
