[nsp-sec] voip hacking?
Yiming Gong
yiming.gong at xo.com
Wed Oct 5 19:29:18 EDT 2011
Hi Team,
I was just wondering if other providers are seeing similar problem going
on on their networks, basically some of our VOIP customers are
experiencing phantom calls, the phone rings but nobody is calling.
I was not able to get a packet capture so far, so I tried to figure out
what is going on using netflow, and i see 40 source IPs trying to
communicate with our customers on their 5060 port when the problem
occurred, and of these 40 ips, 39 of them are in my darknet system for
their port 5060 scan activities, and taking a look at the database, i
noticed almost all of them started to scan after September.
| sip | first time seen by my darknet|
+----------------+---------------------+
| 117.120.2.110 | 2011-09-22 06:20:05 |
| 117.120.2.80 | 2011-09-17 08:40:04 |
| 117.120.5.12 | 2011-09-16 21:45:02 |
| 117.120.5.152 | 2011-09-22 00:55:03 |
| 117.120.5.20 | 2011-09-17 01:30:03 |
| 117.120.5.215 | 2011-09-17 12:15:02 |
| 117.120.5.235 | 2011-09-21 12:55:04 |
| 117.120.6.102 | 2011-09-22 06:55:04 |
| 117.120.6.104 | 2011-09-21 04:25:02 |
| 207.58.161.45 | 2011-09-22 20:30:04 |
| 208.116.46.130 | 2011-09-25 15:55:03 |
| 208.116.46.192 | 2011-09-22 05:55:03 |
| 208.116.46.238 | 2011-09-21 23:10:04 |
| 212.20.30.211 | 2011-09-17 08:30:03 |
| 212.92.148.72 | 2011-09-21 18:10:04 |
| 217.116.128.31 | 2011-10-01 20:20:05 |
| 217.18.139.251 | 2011-09-22 07:30:05 |
| 220.134.238.64 | 2011-09-09 21:00:04 |
| 64.38.44.130 | 2011-08-25 14:35:03 |
| 66.152.77.13 | 2011-09-22 05:20:04 |
| 68.239.83.122 | 2011-09-25 23:55:04 |
| 72.32.122.174 | 2011-08-29 13:25:02 |
| 75.125.106.162 | 2011-10-01 19:55:03 |
| 75.125.238.10 | 2011-09-25 20:50:04 |
| 80.86.174.4 | 2011-09-22 20:35:03 |
| 83.169.35.14 | 2011-08-15 21:30:04 |
| 85.17.141.86 | 2011-09-22 00:55:03 |
| 90.188.1.24 | 2011-09-22 19:20:05 |
| 90.189.192.108 | 2011-09-22 07:15:03 |
| 90.189.192.179 | 2011-10-01 20:05:03 |
| 90.189.192.185 | 2011-09-25 19:40:05 |
| 90.189.192.202 | 2011-09-25 16:35:03 |
| 90.189.192.203 | 2011-09-25 20:30:04 |
| 90.189.192.227 | 2011-09-25 21:30:04 |
| 90.189.192.238 | 2011-09-25 20:30:04 |
| 90.189.192.253 | 2011-10-03 22:40:04 |
| 90.189.192.74 | 2011-09-25 21:20:04 |
| 91.121.1.87 | 2011-09-22 03:00:05 |
| 91.184.6.15 | 2011-09-25 21:15:03 |
+----------------+---------------------+
And when I plug in these ip into dshield, I see dshield record similar
activities,
(for example http://www.dshield.org/ipdetails.html?ip=117.120.2.110)
giving the fact that these source IPs are located at different places,
and they all started to perform scan only recently, I suspect there is a
new VOIP hacking tool or something similar got released recently. like
in late AUG.
And if it is the case, other providers should be seeing similar thing,
so has anybody else experienced this on their network?
Regards
Yiming
below are the 40 source ips.
ASN | IP ADDRESS | DESC
7595 | 117.120.2.110 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.2.80 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.5.12 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.5.152 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.5.20 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.5.215 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.5.235 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.6.102 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
7595 | 117.120.6.104 | READYNET-AS-AP Readyspace Network Pte Ltd,
Hosted Solutions Provider,Singapore
25847 | 207.58.161.45 | SERVINT - ServInt
25653 | 208.116.46.130 | FORTRESSITX - FortressITX
25653 | 208.116.46.192 | FORTRESSITX - FortressITX
25653 | 208.116.46.238 | FORTRESSITX - FortressITX
41440 | 212.20.30.211 | SIBIRTELECOM-AS OJSC Rostelecom
8371 | 212.92.148.72 | KIS-ADS Business Communication Agency
16287 | 217.116.128.31 | KUZBASSNET OJSC Rostelecom
15759 | 217.18.139.251 | DIN-AS OJSC Rostelecom
3462 | 220.134.238.64 | HINET Data Communication Business Group
16805 | 64.38.44.130 | LAYER3-ASN-2 - Layered Technologies, Inc.
14720 | 66.152.77.13 | GAMMANETWORKING-EAST - Gamma Networking Inc.
19262 | 68.239.83.122 | VZGNI-TRANSIT - Verizon Online LLC
22343 | 69.176.76.232 | TELESPHERE-NETWORKS - Telesphere Networks Ltd.
33070 | 72.32.122.174 | RMH-14 - Rackspace Hosting
21844 | 75.125.106.162 | THEPLANET-AS - ThePlanet.com Internet
Services, Inc.
21844 | 75.125.238.10 | THEPLANET-AS - ThePlanet.com Internet
Services, Inc.
13237 | 80.86.174.4 | LAMBDANET-AS European Backbone of LambdaNet
20773 | 83.169.35.14 | HOSTEUROPE-AS AS of Hosteurope Germany /
Cologne
16265 | 85.17.141.86 | LEASEWEB LeaseWeb B.V.
12846 | 90.188.1.24 | OJSC Rostelecom
41440 | 90.189.192.108 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.179 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.185 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.202 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.203 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.227 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.238 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.253 | SIBIRTELECOM-AS OJSC Rostelecom
41440 | 90.189.192.74 | SIBIRTELECOM-AS OJSC Rostelecom
16276 | 91.121.1.87 | OVH OVH Systems
21155 | 91.184.6.15 | ASN-PROSERVE ProServe B.V.
More information about the nsp-security
mailing list