[nsp-sec] Open SIP abuse

Mon Oct 20 16:47:55 EDT 2008

This may not be related but we received an email on the handlers list today from someone that received an automated vishing scam phone call last night.

"I received a phone call last night supposedly from my bank that my ATM card had been deactivated due to fraudulent
activity. It was an automated recorded system giving options to reactive
the ATM or to exit. I chose exit and hung up. I called my bank this morning to ask if the call had originated from them. They notified me that customers in the area (Massachusetts, US)have been targeted for this scam."

donald.smith at qwest.com giac

________________________________

From: nsp-security-bounces at puck.nether.net on behalf of Alfredo Sola
Sent: Mon 10/20/2008 9:58 AM
To: NSP-SEC List
Subject: [nsp-sec] Open SIP abuse

----------- nsp-security Confidential --------

        Good day,

        We had a case where a miscreant seems to have found and exploited an
open SIP server on a customer site.

        The only trace left, aside from call records, is this IP address trying
to reach the SIP port on the attacked network after an ACL was deployed.
Times are GMT:

Oct 20 12:21:43.517: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 12:39:31.119: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 13:05:31.127: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 14:00:31.142: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 14:20:31.145: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 14:29:31.144: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 14:35:31.147: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 14:40:31.147: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 14:46:31.145: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 14:51:31.145: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 4 packets
Oct 20 14:56:31.149: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 7 packets
Oct 20 15:01:31.150: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 15:07:31.149: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 15:12:31.150: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 6 packets
Oct 20 15:18:31.154: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 2 packets
Oct 20 15:23:31.155: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 3 packets
Oct 20 15:40:31.158: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet
Oct 20 15:46:31.158: %SEC-6-IPACCESSLOGP: list TraficoDeFuera denied udp
202.157.176.219(5060) -> 84.124.237.104(5060), 1 packet

AS      | IP               | AS Name
17464   | 202.157.176.219  | TMIDC-AP Hosting Services (MYLOCA),

PEER_AS | IP               | AS Name
17971   | 202.157.176.219  | EASTGATE-AP Datacenter Management

        Hope this helps, if nothing else as a heads-up.

--
Alfredo Sola
ASP5-RIPE
http://alfredo.sola.es/

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.