SIP VoIP botnet question

packetfilte...@gmail.com Sat, 18 Sep 2010 14:34:46 -0700

Hi

Can someone shed some light on the following (pfSense) PF log entries;

36. 281054 rule 80/0(match): block in on ng0: (tos 0x0, ttl 45, id51305, offset 0, flags [DF], proto UDP (17), length 437) 124.92.251.2.5060

 > 91.84.205.47.5060: SIP, length: 409

OPTI\200\242\224LL\223\006\000`\000\000\000p\000\000\000\024\000\000\000=\002\001\000ng0\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000P\377\377\377\377\377\377\377\377\240\206\001\000\000\000\
000\000\306\320\000\000\001\000\000\000e\000\0000\3...@\000q\006\201\271\274\201\312\242[t\315,\012\360\001\275e\267\010\177\000\000\000\000{
\242\224Lfv\002\000`\000\000\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\00
0\001\000\000\000E\000\0004\342;@\000?\006=\314\012\261\301RBf\015S9,\001\273\327\020\370\272\000\000\000\000{\242\224L>\202\002\000`\000\000
\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\000\001\000\000\000E\000\0004\
0...@\000?\006\006\227\012\261\301rbf\015s9-\001\273\327\024;\305\000\000\000\000{\242\224L\343\323\003\000`\000\000\000t\000\000\000\024\000
\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
        0x0000:  4f50 5449

Sep 18 16:36:42 pf: From: "sipsscuser"<sip:1...@192.168.1.9>;t\000\000\000\000\200\002\301\350\006\226\000\000\002\004\005\254\001\00

3\003\000\001\001\004\002t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0
00\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\000\
000\000e\000\0004\031\...@\000?\006\204\207\012\261\301r\255\302$d5\214\000p\013sl\352\000\000\000\000\200\002\301\350\200\364\000\000\002\00
4\005\254\001\003\003\000\001\001\004\002\024\000\005\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000\000\000\000\000\000\000m\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\0

00\000\000e\000\0004\304\...@\000?\006\276\012\261\301R\331\222\260\3515\207\003\343\012\005h\275\000

Sep 18 16:36:42         pf: Content-Length: 0

Sep 18 16:36:42 pf: Via: SIP/2.0/UDP192.168.1.9:5060;branch=z9hG4bK-02932966;rport

Sep 18 16:36:42         pf: OPTIONS sip:1...@91.84.205.44 SIP/2.0

I've been experiencing a lot of problems when trying to log into onlinebanking and Googlemail and sometime see private IP addresses between myADSL router and my ISP's gateway. Does anybody know if these log entriesmay be associated with some malicious activities as they were createdwhilst I was unable to log into Googlemail earlier today.

I don't use VoIP and use a default deny firewall (ie; both in and out)policy. However I'm using RST and DEST-UNR which may invite a botnet orfeeling lucky today script kid.

Resetting the PF state seems to alleviate the problem at least partiallybut even though PF logs that the packet was locked it seems to becausing problems. Is it some sort of arp poisoning or UDP injectionwhich is stuffing the routing tables.


Can anyone offer any advice.

Thanks

Rhys

SIP VoIP botnet question

Reply via email to