[VoiceOps] VoIP Abuse Take Two (or three, maybe even 4-5)

Jawad A Hai ahjawad at hotmail.com
Tue Jan 18 03:41:55 EST 2011 

Hello
Very Nice info.
Recently we have been hit by the attackers during the weekend causing more 
than 100 K USD bill
They were dialing payphone type numbers" dial to win" by compromsing one of 
our DID number.
Mostly calls were placed to Lithuania, and sierraleone.
I wish I could see your article before, atleast I would have tried to put 
some restrctions.
But guys buckle up, there are some gangs using sophisticated mechanisms to 
get into IP PBX systems
Remove all NAT with local IPs, block SIP ports and h.323 ports, if u r using 
cisco upgrade to v15.12T.
add trusted gateway list.


Aali

--------------------------------------------------
From: "J. Oquendo" <sil at infiltrated.net>
Sent: Monday, January 17, 2011 11:39 PM
To: <VoiceOps at voiceops.org>
Subject: [VoiceOps] VoIP Abuse Take Two (or three, maybe even 4-5)

>
> For those looking for a different type of blacklist or at least one that
> makes sense, please be sure to browse the VoIP Abuse Black List as
> things are a slightly different now. VABL looks up an attacker's
> information via Shadowserver's lookup and appends three new fields: type
> of attacker, address and the letters VABL (so one can know where and how
> it ended up on being blacklisted) and a number dialed (when appropriate.)
>
> The type of attacker field may make the biggest difference to those who
> decide to use this list. There are two specific entries that will
> appear: BRU, ADN and COM. BRU means that the host attempted to
> bruteforce a PBX while COM signifies that the attacker managed to
> compromise either a honeypot or a live machine. ADN is when an attacker
> places a call and is short for Attacker Dialing Numbers. Whenever you
> see an entry with ADN, there will be an additional field at the end with
> the number dialed by the attacker appended to it.
>
> Here are three entries, a COM (someone who accessed a honeypot with a
> valid account), a bruteforcer and an ADN (an attacker who accessed a
> compromised account and tried to place a call the number dialed is
> pre-pended)
>
> 85.214.23.191 | COM | VABL | 6724 | 85.214.0.0/16 | STRATO | DE |
> STRATOSERVER.NET | STRATO RECHENZENTRUM BERLIN
> 41.232.96.220 | ADN | VABL | 8452 | 41.232.96.0/22 | TE | EG |
> TEDATA.NET | AFRINIC | 011251912121891
> 93.126.35.12 | BRU | VABL | 44375 | 93.126.0.0/18 | AISDP | IR | - |
> ASMANFARAZ SEPAHAN ISDP
>
> Anyhow, the list is maintained as a text file and is updated accordingly
> (once per day depending on my schedule).
>
> VABL explained:
> http://www.infiltrated.net/index.php?option=com_content&view=article&id=17&Itemid=23
>
> VABL list
> http://www.infiltrated.net/vabl.txt
>
> Potential scripting...
>
> wget -qO - infiltrated.net/vabl.txt|\
> grep [0-9] | awk '{print "insert your favorite firewall rule against
> this whole netblock "$9}'
>
> wget -qO - infiltrated.net/vabl.txt|\
> grep [0-9] | awk '{print "insert your favorite firewall rule against
> this one host "$9}'
>
> Depending on one's POV, COM and ADNs are the ones to keep an eye one.
> These are actually making connections as opposed to checking if a door
> is opened. I know I've stated it before, typically I see this:
>
> bruteforce --> fire off sipvicious looking for an account
> attacker --> logs into an account (this IP is RARELY if ever in any
> bruteforce logs)
>
> What I find sort of funny is that today I see an attacker I guess doing
> research: (attacker trying to make a call to 0112522200044)
>
> 41.34.68.219 | ADN | VABL | 8452 | 41.32.0.0/12 | TE | EG | - | TE DATA
> | 0112522200044
>
> Attacker researching I guess asterisk + voip + security or so
> $ awk '/host-41.34.68.219.tedata.net/{print $1,$4,$5,$6,$7,$8,$9,$11}'
> access_log | head -n 1
>
> host-41.34.68.219.tedata.net [17/Jan/2011:13:50:46 -0600] "GET
> /asterisk-ips.html HTTP/1.1" 200
> "http://voipsecurityblog.typepad.com/marks_voip_security_blog/2009/07/a-script-for-toll-fraud-detection.html"
>
>
>
> -- 
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
>
> "It takes 20 years to build a reputation and five minutes to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>

More information about the VoiceOps mailing list