[VoiceOps] Strange attacks over the weekend

Richard Barnes richard.barnes at gmail.com
Mon Nov 1 12:11:24 EDT 2010


Could you say a little more about what this weird traffic was?  Were
these SIP messages?
--Richard



On Mon, Nov 1, 2010 at 11:01 AM, J. Oquendo <sil at infiltrated.net> wrote:
>
> Sorry for the cross posting to two lists, but I thought everyone on both
> lists might benefit from the message(*cough*rambling*)
>
> So yesterday, I had a honeypot host "open to the world." Not one "block
> this country" rule on the machine. Normally throughout the past months
> I've seen maybe 1 or 2 attacks in parallel, but yesterday was different.
> I butchered up a perl script to block on the fly as opposed to blocking
> out entire countries and was surprised to see I managed to accumulate
> 1600+ hosts. Not *that* big of a deal until I started going through some
> of the logs...
>
> I'm a bit puzzled because I see hundreds of attacks in parallel
> (literally 100-200 connections from different netblocks at the same
> time) so I'm thinking... "VoIP Based Botnet?"
>
> Anyhow, still parsing through the wonderful bucketload of logs this
> morning. Anyone else see massive activity begininng 10/31?
>
> --
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
>
> "It takes 20 years to build a reputation and five minutes to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>



More information about the VoiceOps mailing list