[asterisk-users] Why are the hackers scanning for these?
Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples: 2648061411 3190339404 2685608247 3358171034 2092652562 2206598858 Just trying to follow the advice: Know thy Enemy murf Steve Murphy ParseTree Corp. 57 Lane 17 Cody, WY 82414 ✉ m...@parsetree.com ☎ 307-899-5535 Signature powered by http://www.wisestamp.com/email-install?utm_source=extensionutm_medium=emailutm_campaign=footer WiseStamphttp://www.wisestamp.com/email-install?utm_source=extensionutm_medium=emailutm_campaign=footer -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
Here's some examples: 2648061411 3190339404 I'm getting exactly the same. Odds of getting a working number, are like the odds of winning the lottery. My guess is they are either trying to find a voip trunk, or they are trying to make cold calls to the extensions on my system. Sales or something similar. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
My guess is they are looking for 10 digit phone numbers as extensions. Are they all from 1 IP address or from many? If from many, they are likely many serial scan or from a list of suspected VOIP numbers. If from one, and that random, then from a list of suspected VOIP numbers. Since you listed a phone number as part of your signature… I might guess hackers might soon add that number to a scan list. It is one thing to randomly run 2,XXX-, to 999-999-, with skips for the “dead zones,” (0-XXX-XXX-) etc. but another to hit suspected VOIP numbers. Cary Fitch _ From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Steve Murphy Sent: Sunday, November 07, 2010 8:12 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Why are the hackers scanning for these? Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples: 2648061411 3190339404 2685608247 3358171034 2092652562 2206598858 Just trying to follow the advice: Know thy Enemy murf Steve Murphy ParseTree Corp. 57 Lane 17 Cody, WY 82414 ✉ m...@parsetree.com ☎ 307-899-5535 http://www.wisestamp.com/email-install?utm_source=extensionutm_medium=emailutm_campaign=footer Signature powered by http://www.wisestamp.com/email-install?utm_source=extensionutm_medium=emailutm_campaign=footer WiseStamp http://s.wisestamp.com/pixel.png?p=mozillav=2.0.3t=1289138760949u=949715e=4286 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
_ From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Dan Journo Sent: Sunday, November 07, 2010 8:33 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Why are the hackers scanning for these? Here's some examples: 2648061411 3190339404 I'm getting exactly the same. Odds of getting a working number, are like the odds of winning the lottery. My guess is they are either trying to find a voip trunk, or they are trying to make cold calls to the extensions on my system. Sales or something similar. We got pounded last weekend, but installed a list of distant IPs in IPTABLES and see nothing this weekend. We have no need to be contacted by any sites more than 2500 miles away, and not too many from within 2500 miles. ;-) Cary Fitch -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
On Sun, Nov 7, 2010 at 10:00 AM, Cary Fitch ca...@usawide.net wrote: From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Dan Journo Sent: Sunday, November 07, 2010 8:33 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Why are the hackers scanning for these? Here's some examples: 2648061411 3190339404 I'm getting exactly the same. Odds of getting a working number, are like the odds of winning the lottery. My guess is they are either trying to find a voip trunk, or they are trying to make cold calls to the extensions on my system. Sales or something similar. We got pounded last weekend, but installed a list of distant IPs in IPTABLES and see nothing this weekend. We have no need to be contacted by any sites more than 2500 miles away, and not too many from within 2500 miles. ;-) Cary Fitch -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users I've just switched my outbound ip address a week ago. Not static, but dhcp on TimeWarner cable. I've registered only with another of our offices. The outbound calls are all pstn bound through Teliax. But somehow my log is filling up with registration requests over this new ip address from a bunch of addresses. How can these guys find my new ip address? Or are they just scanning all ip addresses in creation? sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
On Sun, Nov 07, 2010 at 07:11:43AM -0700, Steve Murphy wrote: Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? It's SIPVicious. Before it starts its sequential scan, it makes sure that it can tell the difference between a valid peer and an unknown one. It tries two random peers, expecting a 404 response to at least one (most likely both) of them. Then, if it later gets a 401 during the sequential scan, it knows it's found a good peer name that can be targeted for password guessing. On the other hand, if both random guesses elicit 401 responses to REGISTERs, it knows that it can't winnow out the real peers, and (normally) just gives up right there. That's why 'alwaysauthreject' is so effective at stopping the attacks (as opposed to blocking them). But if the attacker uses the '--force' option, which causes the scan to press on regardless, or something other than SIPVicious, only something like fail2ban will help, but that won't save your bandwidth like 'alwaysauthreject' will. -- Barry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
I've just switched my outbound ip address a week ago. Not static, but dhcp on TimeWarner cable. I've registered only with another of our offices. The outbound calls are all pstn bound through Teliax. But somehow my log is filling up with registration requests over this new ip address from a bunch of addresses. How can these guys find my new ip address? Or are they just scanning all ip addresses in creation? sean -- _ Follow the money Just like for Spam, there is money in Sip-Hacking. Anyone that has SIP traffic to move (selling the service) has money. If they can move it for free, even more money. A few servers running Hacking programs (SIPVicious) or e-mail server hacking programs is no big deal and bandwidth at colo centers is unlimited. Then they convert to BOT controllers and have free computers and bandwidth world wide. They generate a database of public IP addresses (DHCP, whatever) and have a target of poorly protected IPs to troll. Lucky you. ;-) Cary -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
Adding on more thoughts: Think what Google has done in Mapping the Earth, Mapping the Web, and now working on Google Voice and Google Mail. Every one of those makes money either directly and/or synergistically with other components. Now consider someone with telephone interests or spam interests. In this modern database and filtering and probing age, load in ARIN or RIPE IP Ranges, start building database data and filters, and let it run... And the other IP areas too. Cary -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why are the hackers scanning for these?
On Sun, Nov 7, 2010 at 11:03 AM, Cary Fitch ca...@usawide.net wrote: Adding on more thoughts: Think what Google has done in Mapping the Earth, Mapping the Web, and now working on Google Voice and Google Mail. Every one of those makes money either directly and/or synergistically with other components. Now consider someone with telephone interests or spam interests. In this modern database and filtering and probing age, load in ARIN or RIPE IP Ranges, start building database data and filters, and let it run... And the other IP areas too. Cary -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users All makes me think of forcing an ip address change each night by spoofing the mac address. Each day they'd have to find me anew! sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users