[nsp-sec] Got SIP? (VoIP/SIP hackerz)
John Brown
john at citylinkfiber.com
Mon Sep 12 18:39:09 EDT 2011
Wonder if there is any value in getting data from multiple sites and sending it to a collector for aggregation and review.
As an ITSP we get hit pretty hard every day with SIP attacks. Registers, Invites and other fun things...
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Scott A. McIntyre
> Sent: Monday, September 12, 2011 3:26 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Got SIP? (VoIP/SIP hackerz)
>
> ----------- nsp-security Confidential --------
>
> Hi all,
>
> For the past few months I've been running a VoIP/SIP honeypot and am
> working towards sending the data collected over to Team Cymru for their
> Most Excellent daily reports -- but until then I thought I'd at least share a list
> of some recent hits.
>
> Most of these fit the classic pattern of Unix/Linux boxes which were brute
> forced over SSH and a standard kit with SIP Vicious and SSH bruteforcer (and
> usually an emechbot, for Romanian fun and games) let loose -- some were
> doing actual SIP invites though, usually to UK phone numbers (can provide
> lists if interested). A few may be Windows boxes running one of the recently
> re-publicised kits for SIP/VoIP scanning/hacking...
>
> The timestamp in the third column SHOULD be UTC format. I had to do a bit
> of Splunk wizardry to convert each +1000 timestamp into UTC, but it should
> be right.
>
> Shout if there are any questions,
>
> Scott A. McIntyre
> AS1221 Telstra
>
>
> 174 | 38.99.170.186 | 2011-09-10 00:42.45 | COGENT Cogent/PSI
> 4134 | 115.168.71.84 | 2011-09-07 17:53.15 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 117.21.127.40 | 2011-09-04 18:18.16 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 125.88.123.9 | 2011-09-10 20:04.10 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 125.95.18.146 | 2011-09-11 05:49.38 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 202.103.52.143 | 2011-09-11 08:10.25 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 219.149.138.230 | 2011-09-04 17:37.54 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 220.178.16.98 | 2011-09-10 06:44.40 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 220.178.16.99 | 2011-09-10 21:06.27 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 222.241.151.149 | 2011-09-09 06:22.22 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 61.189.184.76 | 2011-09-06 12:11.26 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 61.191.41.53 | 2011-09-03 01:44.39 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 61.191.41.6 | 2011-09-09 03:37.24 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4134 | 61.191.41.7 | 2011-09-10 18:38.34 | CHINANET-BACKBONE
> No.31,Jin-rong Street
> 4766 | 220.76.203.38 | 2011-09-10 16:54.03 | KIXS-AS-KR Korea Telecom
> 4766 | 220.76.205.97 | 2011-09-09 02:16.38 | KIXS-AS-KR Korea Telecom
> 4837 | 60.217.226.13 | 2011-09-02 15:26.24 | CHINA169-BACKBONE
> CNCGROUP China169 Backbone
> 6461 | 72.22.86.140 | 2011-09-03 10:43.36 | MFNX MFN - Metromedia
> Fiber Network
> 7552 | 115.78.188.69 | 2011-09-03 22:41.10 | VIETEL-AS-AP Vietel
> Corporation
> 9929 | 218.106.254.168 | 2011-09-04 00:09.49 | CNCNET-CN China
> Netcom Corp.
> 12975 | 188.161.90.60 | 2011-09-11 22:26.32 | PALTEL-AS PALTEL
> Autonomous System
> 13768 | 64.34.170.164 | 2011-09-04 00:56.38 | PEER1 - Peer 1
> Network Inc.
> 16509 | 50.18.70.24 | 2011-09-01 14:34.31 | AMAZON-02 -
> Amazon.com, Inc.
> 17633 | 219.146.8.78 | 2011-09-04 02:08.49 | CHINATELECOM-SD-AS-AP
> ASN for Shandong Provincial Net of CT
> 19994 | 50.56.89.248 | 2011-09-09 03:45.20 | RACKSPACE - Rackspace
> Hosting
> 20001 | 76.79.199.98 | 2011-09-06 03:41.44 | ROADRUNNER-WEST -
> Road Runner HoldCo LLC
> 23352 | 205.234.222.71 | 2011-09-12 11:26.12 | SERVERCENTRAL -
> Server Central Network
> 23520 | 190.242.28.2 | 2011-09-03 23:25.37 | COLUMBUS-NETWORKS -
> Columbus Networks USA, Inc.
> 24863 | 41.130.44.157 | 2011-09-01 14:09.44 | LINKdotNET-AS
> 27257 | 67.55.110.36 | 2011-09-03 20:58.27 | WEBAIR-INTERNET -
> Webair Internet Development Company Inc.
> 28753 | 78.159.115.121 | 2011-09-10 19:44.55 | LEASEWEB-DE Leaseweb
> Germany GmbH (previously netdirekt e. K.)
> 32097 | 173.0.54.152 | 2011-09-03 04:28.30 | WII-KC - WholeSale
> Internet, Inc.
> 32475 | 184.154.255.210 | 2011-09-09 15:15.36 | SINGLEHOP-INC - SingleHop
> 32489 | 38.111.107.12 | 2011-09-10 03:07.00 | AMANAHA-NEW - Amanah
> Tech Inc.
> 35592 | 146.255.27.221 | 2011-09-09 19:44.43 | COOLHOUSING-AS
> COOLHOUSING Autonomous System
> 35592 | 89.187.146.117 | 2011-09-09 19:44.39 | COOLHOUSING-AS
> COOLHOUSING Autonomous System
> 35662 | 31.3.225.4 | 2011-09-04 13:29.01 | REDSTATION-AS
> Redstation AS
> 36351 | 50.22.55.167 | 2011-09-03 00:42.51 | SOFTLAYER - SoftLayer
> Technologies Inc.
> 39111 | 46.137.140.48 | 2011-09-04 14:54.42 | ADSI-AS Amazon EU DC AS
> 40676 | 173.224.209.69 | 2011-09-10 11:22.44 | PSYCHZ - Psychz Networks
> 40676 | 199.119.202.73 | 2011-09-01 16:09.42 | PSYCHZ - Psychz Networks
> 46475 | 208.115.236.119 | 2011-09-07 16:19.29 | LIMESTONENETWORKS -
> Limestone Networks, Inc.
> 46475 | 208.115.236.193 | 2011-09-08 21:28.16 | LIMESTONENETWORKS -
> Limestone Networks, Inc.
> 46816 | 174.140.165.138 | 2011-09-09 00:08.24 | DSNETWORKS-001 -
> DirectSpace Networks, LLC.
> 46816 | 69.163.40.194 | 2011-09-11 09:16.48 | DSNETWORKS-001 -
> DirectSpace Networks, LLC.
> 50300 | 91.227.220.137 | 2011-09-05 05:02.16 | CUSTDC Custodian Ltd.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list