Hey All, Stephan I think your on to something with this mousetrap idea. Could be used as a 'heads up' for the asterisk administrator.
I think we should actually try to track down on these script kiddies (as they are not hackers). Figure out who they are working for. How about a TrixHoneypot? The idea being that you purposely have what appears to be a insecure trixbox; no authentication for a specific sip peer and all default passwords. Which would be running in a VM so its easy to destroy and recreate. Then you have a second VM of a pure asterisk server. The TrixHoneypot would place all outbound telephone calls to the asterisk in the other VM. The asterisk server instead of actually terminating the calls will generate a random ring length and then answer it locally play a recording of someone saying "Hello?" and record the phone call for a random amount of time then hangup. Thus simulating a successful call. Syslog on the TrixHoneypot could be setup to send logs to a remote syslogd. We would try to find out all the different IPs the hacker is connecting to TrixHoneypot from. Also we could look at the dial patterns and listen to the message the script kiddie is trying to play. I assume they would be doing something like ADAD and just playing a recording file to the person they have called. Not only would this screw up their database of what they think were successful calls but possibly provide us enough info to take to authorities. To those on the list that had a trixbox exploited or asterisk did they first make a test call? Say to a 1800 # or something to verify that calls were actually terminated correctly? It be funny if they called their own personal cell phone number as their test call. If that's the case we could always have the first call go though successfully (and recorded) to the real number and then all subsequent calls go to the fake dial plan. Convoluted... yes. But this way we could actually acquire a lot more info on the perpetrator and possibly (long shot) catch them. Blaine Aldridge --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
