[VoiceOps] VoIP Abuse Take Two (or three, maybe even 4-5)

Thu Mar 17 11:44:53 EDT 2011

Getting back to this topic...How does the list get updated (shadowerslookup?) Can we report IPs..?
Any new update on this front as hackers are getting more sophisticated...

-----Original Message-----
From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo
Sent: Monday, January 17, 2011 1:39 PM
To: VoiceOps at voiceops.org
Subject: [VoiceOps] VoIP Abuse Take Two (or three, maybe even 4-5)

For those looking for a different type of blacklist or at least one that
makes sense, please be sure to browse the VoIP Abuse Black List as
things are a slightly different now. VABL looks up an attacker's
information via Shadowserver's lookup and appends three new fields: type
of attacker, address and the letters VABL (so one can know where and how
it ended up on being blacklisted) and a number dialed (when appropriate.)

The type of attacker field may make the biggest difference to those who
decide to use this list. There are two specific entries that will
appear: BRU, ADN and COM. BRU means that the host attempted to
bruteforce a PBX while COM signifies that the attacker managed to
compromise either a honeypot or a live machine. ADN is when an attacker
places a call and is short for Attacker Dialing Numbers. Whenever you
see an entry with ADN, there will be an additional field at the end with
the number dialed by the attacker appended to it.

Here are three entries, a COM (someone who accessed a honeypot with a
valid account), a bruteforcer and an ADN (an attacker who accessed a
compromised account and tried to place a call the number dialed is
pre-pended)

85.214.23.191 | COM | VABL | 6724 | 85.214.0.0/16 | STRATO | DE |
STRATOSERVER.NET | STRATO RECHENZENTRUM BERLIN
41.232.96.220 | ADN | VABL | 8452 | 41.232.96.0/22 | TE | EG |
TEDATA.NET | AFRINIC | 011251912121891
93.126.35.12 | BRU | VABL | 44375 | 93.126.0.0/18 | AISDP | IR | - |
ASMANFARAZ SEPAHAN ISDP

Anyhow, the list is maintained as a text file and is updated accordingly
(once per day depending on my schedule).

VABL explained:
http://www.infiltrated.net/index.php?option=com_content&view=article&id=17&Itemid=23

VABL list
http://www.infiltrated.net/vabl.txt

Potential scripting...

wget -qO - infiltrated.net/vabl.txt|\
grep [0-9] | awk '{print "insert your favorite firewall rule against
this whole netblock "$9}'

wget -qO - infiltrated.net/vabl.txt|\
grep [0-9] | awk '{print "insert your favorite firewall rule against
this one host "$9}'

Depending on one's POV, COM and ADNs are the ones to keep an eye one.
These are actually making connections as opposed to checking if a door
is opened. I know I've stated it before, typically I see this:

bruteforce --> fire off sipvicious looking for an account
attacker --> logs into an account (this IP is RARELY if ever in any
bruteforce logs)

What I find sort of funny is that today I see an attacker I guess doing
research: (attacker trying to make a call to 0112522200044)

41.34.68.219 | ADN | VABL | 8452 | 41.32.0.0/12 | TE | EG | - | TE DATA
| 0112522200044

Attacker researching I guess asterisk + voip + security or so
$ awk '/host-41.34.68.219.tedata.net/{print $1,$4,$5,$6,$7,$8,$9,$11}'
access_log | head -n 1

host-41.34.68.219.tedata.net [17/Jan/2011:13:50:46 -0600] "GET
/asterisk-ips.html HTTP/1.1" 200
"http://voipsecurityblog.typepad.com/marks_voip_security_blog/2009/07/a-script-for-toll-fraud-detection.html"

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops