[nsp-sec] Open SIP abuse

Alfredo Sola alfredo at solucionesdinamicas.net
Mon Oct 20 11:58:05 EDT 2008 

	Good day,

	We had a case where a miscreant seems to have found and exploited an 
open SIP server on a customer site.

	The only trace left, aside from call records, is this IP address trying 
to reach the SIP port on the attacked network after an ACL was deployed. 
Times are GMT:

Oct 20 12:21:43.517: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 12:39:31.119: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 13:05:31.127: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 14:00:31.142: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 14:20:31.145: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 14:29:31.144: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 14:35:31.147: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 14:40:31.147: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 14:46:31.145: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 14:51:31.145: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 4 packets
Oct 20 14:56:31.149: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 7 packets
Oct 20 15:01:31.150: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 15:07:31.149: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 15:12:31.150: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 6 packets
Oct 20 15:18:31.154: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 15:23:31.155: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 15:40:31.158: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 15:46:31.158: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp 
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet

AS      | IP               | AS Name
17464   | 202.157.176.219  | TMIDC-AP Hosting Services (MYLOCA),

PEER_AS | IP               | AS Name
17971   | 202.157.176.219  | EASTGATE-AP Datacenter Management

	Hope this helps, if nothing else as a heads-up.

-- 
Alfredo Sola
ASP5-RIPE
http://alfredo.sola.es/

More information about the nsp-security mailing list