Not true about them all being script kiddies.
The way they did this though was through a worm. One of my accounting
persons machines got infected, and the worm harvested
URL/userid/passwords data. They used this data to log into our
termination provider to get our sip account userid/password.
This termination provider didn't support locking to the IPs of our
servers, not that would have mattered since they had access to our
account. They also altered our account for auto replenishment ( we keep
this turned off just for this reason ). Like others, then late on Friday
they turned on the flood gates and by Monday had racked up about
US$4,000 in LD.
Almost all the LD traffic was terminating in Moscow to cell phones,
which within the week were not in service ( burners ). All the
originating IP's for the calls were in Russia or Czech Rep. And the IP
used to alter our account was originating in Czech Rep. In this case I'd
tend to say it was more likely organized crime that were behind the attack.
Now this is a different vector of attack that has been discussed, and it
bypassed our asterisk server completely. On the sip probing we have also
been seeing a big increase in the probing, mainly from Asia and Eastern
Europe. Besides the basic sip registration some are sip calls to our ID
and then they are attempting different feature codes to see if they can
activate DISA from the auto attendant.
Just one other ting to look out for.
Mke
Blaine Aldridge wrote:
Hey All,
Stephan I think your on to something with this mousetrap idea. Could
be used as a 'heads up' for the asterisk administrator.
I think we should actually try to track down on these script kiddies
(as they are not hackers). Figure out who they are working for.
How about a TrixHoneypot?
The idea being that you purposely have what appears to be a insecure
trixbox; no authentication for a specific sip peer and all default
passwords. Which would be running in a VM so its easy to destroy and
recreate. Then you have a second VM of a pure asterisk server. The
TrixHoneypot would place all outbound telephone calls to the asterisk
in the other VM.
The asterisk server instead of actually terminating the calls will
generate a random ring length and then answer it locally play a
recording of someone saying "Hello?" and record the phone call for a
random amount of time then hangup. Thus simulating a successful call.
Syslog on the TrixHoneypot could be setup to send logs to a remote syslogd.
We would try to find out all the different IPs the hacker is
connecting to TrixHoneypot from. Also we could look at the dial
patterns and listen to the message the script kiddie is trying to
play. I assume they would be doing something like ADAD and just
playing a recording file to the person they have called.
Not only would this screw up their database of what they think were
successful calls but possibly provide us enough info to take to
authorities.
To those on the list that had a trixbox exploited or asterisk did they
first make a test call? Say to a 1800 # or something to verify that
calls were actually terminated correctly? It be funny if they called
their own personal cell phone number as their test call.
If that's the case we could always have the first call go though
successfully (and recorded) to the real number and then all subsequent
calls go to the fake dial plan.
Convoluted... yes. But this way we could actually acquire a lot more
info on the perpetrator and possibly (long shot) catch them.
Blaine Aldridge
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Mike Ashton
Quality Track Intl
Ph: 647-722-2092 x 301
Cell: 416-527-4995
Fax: 416-352-6043
QTI CONFIDENTIAL AND PROPRIETARY INFORMATION
The contents of this material are confidential and proprietary to Quality Track
International, Inc.
and may not be reproduced, disclosed, distributed or used without the express
permission of an authorized representative of QTI.
Use for any purpose or in any manner other than that expressly authorized is
prohibited.
If you have received this communication in error, please immediately delete it
and all copies, and promptly notify the sender.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
