[nsp-sec] Got SIP? (VoIP/SIP hackerz)

Scott A. McIntyre scott at howyagoin.net
Mon Sep 12 17:26:22 EDT 2011 

Hi all,

For the past few months I've been running a VoIP/SIP honeypot and am
working towards sending the data collected over to Team Cymru for their
Most Excellent daily reports -- but until then I thought I'd at least
share a list of some recent hits.

Most of these fit the classic pattern of Unix/Linux boxes which were
brute forced over SSH and a standard kit with SIP Vicious and SSH
bruteforcer (and usually an emechbot, for Romanian fun and games) let
loose -- some were doing actual SIP invites though, usually to UK phone
numbers (can provide lists if interested).  A few may be Windows boxes
running one of the recently re-publicised kits for SIP/VoIP
scanning/hacking...

The timestamp in the third column SHOULD be UTC format.  I had to do a
bit of Splunk wizardry to convert each +1000 timestamp into UTC, but it
should be right.

Shout if there are any questions,

Scott A. McIntyre
AS1221 Telstra


174     | 38.99.170.186    | 2011-09-10 00:42.45 | COGENT Cogent/PSI
4134    | 115.168.71.84    | 2011-09-07 17:53.15 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 117.21.127.40    | 2011-09-04 18:18.16 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 125.88.123.9     | 2011-09-10 20:04.10 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 125.95.18.146    | 2011-09-11 05:49.38 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 202.103.52.143   | 2011-09-11 08:10.25 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 219.149.138.230  | 2011-09-04 17:37.54 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 220.178.16.98    | 2011-09-10 06:44.40 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 220.178.16.99    | 2011-09-10 21:06.27 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 222.241.151.149  | 2011-09-09 06:22.22 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 61.189.184.76    | 2011-09-06 12:11.26 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 61.191.41.53     | 2011-09-03 01:44.39 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 61.191.41.6      | 2011-09-09 03:37.24 | CHINANET-BACKBONE
No.31,Jin-rong Street
4134    | 61.191.41.7      | 2011-09-10 18:38.34 | CHINANET-BACKBONE
No.31,Jin-rong Street
4766    | 220.76.203.38    | 2011-09-10 16:54.03 | KIXS-AS-KR Korea Telecom
4766    | 220.76.205.97    | 2011-09-09 02:16.38 | KIXS-AS-KR Korea Telecom
4837    | 60.217.226.13    | 2011-09-02 15:26.24 | CHINA169-BACKBONE
CNCGROUP China169 Backbone
6461    | 72.22.86.140     | 2011-09-03 10:43.36 | MFNX MFN - Metromedia
Fiber Network
7552    | 115.78.188.69    | 2011-09-03 22:41.10 | VIETEL-AS-AP Vietel
Corporation
9929    | 218.106.254.168  | 2011-09-04 00:09.49 | CNCNET-CN China
Netcom Corp.
12975   | 188.161.90.60    | 2011-09-11 22:26.32 | PALTEL-AS PALTEL
Autonomous System
13768   | 64.34.170.164    | 2011-09-04 00:56.38 | PEER1 - Peer 1
Network Inc.
16509   | 50.18.70.24      | 2011-09-01 14:34.31 | AMAZON-02 -
Amazon.com, Inc.
17633   | 219.146.8.78     | 2011-09-04 02:08.49 | CHINATELECOM-SD-AS-AP
ASN for Shandong Provincial Net of CT
19994   | 50.56.89.248     | 2011-09-09 03:45.20 | RACKSPACE - Rackspace
Hosting
20001   | 76.79.199.98     | 2011-09-06 03:41.44 | ROADRUNNER-WEST -
Road Runner HoldCo LLC
23352   | 205.234.222.71   | 2011-09-12 11:26.12 | SERVERCENTRAL -
Server Central Network
23520   | 190.242.28.2     | 2011-09-03 23:25.37 | COLUMBUS-NETWORKS -
Columbus Networks USA, Inc.
24863   | 41.130.44.157    | 2011-09-01 14:09.44 | LINKdotNET-AS
27257   | 67.55.110.36     | 2011-09-03 20:58.27 | WEBAIR-INTERNET -
Webair Internet Development Company Inc.
28753   | 78.159.115.121   | 2011-09-10 19:44.55 | LEASEWEB-DE Leaseweb
Germany GmbH (previously netdirekt e. K.)
32097   | 173.0.54.152     | 2011-09-03 04:28.30 | WII-KC - WholeSale
Internet, Inc.
32475   | 184.154.255.210  | 2011-09-09 15:15.36 | SINGLEHOP-INC - SingleHop
32489   | 38.111.107.12    | 2011-09-10 03:07.00 | AMANAHA-NEW - Amanah
Tech Inc.
35592   | 146.255.27.221   | 2011-09-09 19:44.43 | COOLHOUSING-AS
COOLHOUSING Autonomous System
35592   | 89.187.146.117   | 2011-09-09 19:44.39 | COOLHOUSING-AS
COOLHOUSING Autonomous System
35662   | 31.3.225.4       | 2011-09-04 13:29.01 | REDSTATION-AS
Redstation AS
36351   | 50.22.55.167     | 2011-09-03 00:42.51 | SOFTLAYER - SoftLayer
Technologies Inc.
39111   | 46.137.140.48    | 2011-09-04 14:54.42 | ADSI-AS Amazon EU DC AS
40676   | 173.224.209.69   | 2011-09-10 11:22.44 | PSYCHZ - Psychz Networks
40676   | 199.119.202.73   | 2011-09-01 16:09.42 | PSYCHZ - Psychz Networks
46475   | 208.115.236.119  | 2011-09-07 16:19.29 | LIMESTONENETWORKS -
Limestone Networks, Inc.
46475   | 208.115.236.193  | 2011-09-08 21:28.16 | LIMESTONENETWORKS -
Limestone Networks, Inc.
46816   | 174.140.165.138  | 2011-09-09 00:08.24 | DSNETWORKS-001 -
DirectSpace Networks, LLC.
46816   | 69.163.40.194    | 2011-09-11 09:16.48 | DSNETWORKS-001 -
DirectSpace Networks, LLC.
50300   | 91.227.220.137   | 2011-09-05 05:02.16 | CUSTDC Custodian Ltd.

More information about the nsp-security mailing list