I confess. They hit me too - yesterday. I had a security hole they could
drive a truck through, and they apparently used port 5060 to fish for a
local extension they could masquerade as. Then they started calling out
with one of my caller IDs. Within minutes I was deluged with calls from
puzzled people.
After blocking them, I redirected incoming calls to this DID to a
recorded explanation and apology. Then I sent a broadcast to the 281
logged out-dial numbers with a similar message.
So, heads up.
FWIW, I was hit by these IPs:
84.126.205.1
78.157.193.103
It would seem that we all might gain from cooperative work here. Also,
can we share the FBI contact? I was going to call the FBI, but figured
it would be a waste of time just getting through the bureaucracy to the
right person.
I didn't capture the audio. Did the verbiage contain a spoken return
call #? I was getting responses based on caller ID, and I'm wondering if
the perpetrator expected to take return calls via the bogus SIP
registration or via another channel.
Matt Gibson wrote:
Same here, but about 3 months ago. Luckily I was able to stop it after about
30 minutes, but they still got about 100 calls out, I got a lot of calls
back from little old ladies wanting to give me their credit card info, scary
stuff.
-----Original Message-----
From: asterisk-biz-boun...@lists.digium.com [mailto:asterisk-biz-
boun...@lists.digium.com] On Behalf Of C. Savinovich
Sent: Friday, February 27, 2009 4:18 PM
To: 'Commercial and Business-Oriented Asterisk Discussion'
Subject: Re: [asterisk-biz] Fraud alert
It seems to be the same pattern of people who attacked 3 of my
servers in
a 3 week period a couple of weeks ago. The calls were made mostly to
area
codes 252 and 818 and indeed they showed the caller-id of the phones.
My
customer claims he received a call from the FBI saying that the calls
were
credit card solicitations. The point is, whoever is doing this, is
doing
this massively.
CS
-----Original Message-----
From: asterisk-biz-boun...@lists.digium.com
[mailto:asterisk-biz-boun...@lists.digium.com] On Behalf Of
voip-aster...@maximumcrm.com
Sent: Friday, February 27, 2009 4:04 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Fraud alert
I'd suggest to everyone to ban that IP, it's been scanning our
networks
from time to time, in a sequential manner by IP.
I've had really good luck with this:
http://www.voip-
info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
Basically, it automatically blackhols via IPtables any host that
fails a
certain number of registration attempts in a given period.
Yeah we're actually rolling it out on all of our production servers,
it's
a great application to run.
I'm working on some scripts to propagate the bans to the firewall so
that
all of the servers get protected as soon as possible.
[default]
; Send any unauthenticated calls to the local FBI office
context=local-fbi-office
I've got a honeypot server that pretty much accepts any calls that
come
through, and plays a "Thank you for calling the Telecommunications
Fraud
hotline. Please stay online for the next available representative."
If
they
stay online for more than 20 seconds, it connects them to an agent at
the
FBI that we have been working with.
I've been meaning to add some code in that pulls out the originating
IP
address of the call and tells it to the agent when we call. :)
That would be great to have!
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
