Re: SIP VoIP botnet question
On 2010-09-18, packetfilte...@gmail.com wrote: > Hi > > Can someone shed some light on the following (pfSense) PF log entries; Don't know pfSense, but these logs appear to show the firewall blocking some traffic that you told it to block. > I've been experiencing a lot of problems when trying to log into online > banking and Googlemail and sometime see private IP addresses between my > ADSL router and my ISP's gateway. Talk to pfSense people or your ISP. My guess would be broken path mtu discovery. http://www.elifulkerson.com/projects/mtu-eyechart.php > I don't use VoIP Makes no difference to people scanning; they will search for endpoints on your network whether or not you have them. (Not for you, but for people who do run voip then for the love of $DEITY keep an eye on security. use strong passwords so you just get the log spam and packets-per-second and not the phone bills too, and make sure you have a handle on how you've configured your software; e.g. with asterisk don't get confused about contexts, and if you use "insecure" flags anywhere then understand what it does and make sure it's safe..) > However I'm using RST and DEST-UNR which may invite a botnet or > feeling lucky today script kid. > > Resetting the PF state seems to alleviate the problem at least partially > but even though PF logs that the packet was locked it seems to be > causing problems. Is it some sort of arp poisoning or UDP injection > which is stuffing the routing tables. Huh?
Re: SIP VoIP botnet question
* packetfilte...@gmail.com [2010-09-18 23:34]: > Can someone shed some light on the following (pfSense) PF log entries; wrong list. some ancient (that is the very friendly wording) pf version on some OS that isn't OpenBSD which has been modified. how would we know? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: SIP VoIP botnet question
install ngrep and run
ngrep -q -t -P "" -W byline -d ng0 SIP
Should show the sip packets in a more friendly format.
On Sat, Sep 18, 2010 at 10:29 PM, packetfilte...@gmail.com <
packetfilte...@gmail.com> wrote:
> Hi
>
> Can someone shed some light on the following (pfSense) PF log entries;
>
>
> 36. 281054 rule 80/0(match): block in on ng0: (tos 0x0, ttl 45, id 51305,
> offset 0, flags [DF], proto UDP (17), length 437) 124.92.251.2.5060
> > 91.84.205.47.5060: SIP, length: 409
>
>
> OPTI\200\242\224LL\223\006\000`\000\000\000p\000\000\000\024\000\000\000=\002\001\000ng0\000\000\000\000\000\000\000\000\000\000\000\
>
> 000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000P\377\377\377\377\377\377\377\377\240\206\001\000\000\000\
> 000\000\306\320\000\000\001\000\000\000E\000\\330i@
> \000q\006\201\271\274\201\312\242[T\315,\012\360\001\275e\267\010\177\000\000\000\000{
>
> \242\224Lfv\002\000`\000\000\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
>
> 0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\00
> 0\001\000\000\000E\000\0004\342;@
> \000?\006=\314\012\261\301RBf\015S9,\001\273\327\020\370\272\000\000\000\000{\242\224L>\202\002\000`\000\000
>
> \000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
>
> 0\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\000\001\000\000\000E\000\0004\
> 031q@
> \000?\006\006\227\012\261\301RBf\015S9-\001\273\327\024;\305\000\000\000\000{\242\224L\343\323\003\000`\000\000\000t\000\000\000\024\000
>
> \000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
>0x: 4f50 5449
>
>
>
> Sep 18 16:36:42 pf: From:
> "sipsscuser">;
> t\000\000\000\000\200\002\301\350\006\226\000\000\002\004\005\254\001\00
>
> 3\003\000\001\001\004\002t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0
>
> 00\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\000\
> 000\000E\000\0004\031\023@
> \000?\006\204\207\012\261\301R\255\302$d5\214\000P\013SL\352\000\000\000\000\200\002\301\350\200\364\000\000\002\00
>
> 4\005\254\001\003\003\000\001\001\004\002\024\000\005\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
>
> 0\000\000\000\000\000\000\000\000\000\000\000\000\000\000m\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\0
> 00\000\000e\000\0004\304\...@\000?\006
> \276\012\261\301R\331\222\260\3515\207\003\343\012\005h\275\000
> Sep 18 16:36:42 pf: Content-Length: 0
> Sep 18 16:36:42 pf: Via: SIP/2.0/UDP 192.168.1.9:5060
> ;branch=z9hG4bK-02932966;rport
> Sep 18 16:36:42 pf: OPTIONS
> sip:1...@91.84.205.44SIP/2.0
>
>
>
> I've been experiencing a lot of problems when trying to log into online
> banking and Googlemail and sometime see private IP addresses between my ADSL
> router and my ISP's gateway. Does anybody know if these log entries may be
> associated with some malicious activities as they were created whilst I was
> unable to log into Googlemail earlier today.
>
> I don't use VoIP and use a default deny firewall (ie; both in and out)
> policy. However I'm using RST and DEST-UNR which may invite a botnet or
> feeling lucky today script kid.
>
> Resetting the PF state seems to alleviate the problem at least partially
> but even though PF logs that the packet was locked it seems to be causing
> problems. Is it some sort of arp poisoning or UDP injection which is
> stuffing the routing tables.
>
> Can anyone offer any advice.
>
> Thanks
>
> Rhys
SIP VoIP botnet question
Hi
Can someone shed some light on the following (pfSense) PF log entries;
36. 281054 rule 80/0(match): block in on ng0: (tos 0x0, ttl 45, id
51305, offset 0, flags [DF], proto UDP (17), length 437) 124.92.251.2.5060
> 91.84.205.47.5060: SIP, length: 409
OPTI\200\242\224LL\223\006\000`\000\000\000p\000\000\000\024\000\000\000=\002\001\000ng0\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000P\377\377\377\377\377\377\377\377\240\206\001\000\000\000\
000\000\306\320\000\000\001\000\000\000e\000\\3...@\000q\006\201\271\274\201\312\242[t\315,\012\360\001\275e\267\010\177\000\000\000\000{
\242\224Lfv\002\000`\000\000\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\00
0\001\000\000\000E\000\0004\342;@\000?\006=\314\012\261\301RBf\015S9,\001\273\327\020\370\272\000\000\000\000{\242\224L>\202\002\000`\000\000
\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\000\001\000\000\000E\000\0004\
0...@\000?\006\006\227\012\261\301rbf\015s9-\001\273\327\024;\305\000\000\000\000{\242\224L\343\323\003\000`\000\000\000t\000\000\000\024\000
\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
0x: 4f50 5449
Sep 18 16:36:42 pf: From: "sipsscuser";
t\000\000\000\000\200\002\301\350\006\226\000\000\002\004\005\254\001\00
3\003\000\001\001\004\002t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0
00\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\000\
000\000e\000\0004\031\...@\000?\006\204\207\012\261\301r\255\302$d5\214\000p\013sl\352\000\000\000\000\200\002\301\350\200\364\000\000\002\00
4\005\254\001\003\003\000\001\001\004\002\024\000\005\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000\000\000\000\000\000\000m\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\0
00\000\000e\000\0004\304\...@\000?\006
\276\012\261\301R\331\222\260\3515\207\003\343\012\005h\275\000
Sep 18 16:36:42 pf: Content-Length: 0
Sep 18 16:36:42 pf: Via: SIP/2.0/UDP
192.168.1.9:5060;branch=z9hG4bK-02932966;rport
Sep 18 16:36:42 pf: OPTIONS sip:1...@91.84.205.44 SIP/2.0
I've been experiencing a lot of problems when trying to log into online
banking and Googlemail and sometime see private IP addresses between my
ADSL router and my ISP's gateway. Does anybody know if these log entries
may be associated with some malicious activities as they were created
whilst I was unable to log into Googlemail earlier today.
I don't use VoIP and use a default deny firewall (ie; both in and out)
policy. However I'm using RST and DEST-UNR which may invite a botnet or
feeling lucky today script kid.
Resetting the PF state seems to alleviate the problem at least partially
but even though PF logs that the packet was locked it seems to be
causing problems. Is it some sort of arp poisoning or UDP injection
which is stuffing the routing tables.
Can anyone offer any advice.
Thanks
Rhys
