[VoiceOps] SIP Scan

Lee Riemer LRiemer at bestline.net
Fri Oct 28 13:29:55 EDT 2011


They are probably creating a list of potential victims.  Anything replying SIP on port 5060 gets added.  Then you get the (not so)friendly-scanner.

Lee Riemer


> -----Original Message-----
> From: Stappenbeck, Mark [mailto:MStappenbeck at allworx.com]
> Sent: Friday, October 28, 2011 11:27 AM
> To: Lee Riemer
> Cc: VoiceOps
> Subject: RE: [VoiceOps] SIP Scan
> 
> Can't say, just noticed multiple event logs from our PBX's across the country
> receiving a single invite (which we reject as not trusted), and then it moves
> on.
> 
> Happened to have 4 servers in a /29 and saw it hit them in IP sequence, then
> was sent some logs from a server from yesterday, and the source IP was in
> the same octet as the other 4 servers.
> 
> Thanks Lee -Mark S
> 
> 
> 
> Mark Stappenbeck
> Senior Manager, Technical Support
> Allworx
> 300 Main Street
> East Rochester, NY 14445
> 585-421-5508 Office
> (585) 421-3853 Fax
> mstappenbeck at allworx.com
> www.allworx.com
> 
> 
> 
> 
> -----Original Message-----
> From: Lee Riemer [mailto:lriemer at bestline.net]
> Sent: Friday, October 28, 2011 12:21 PM
> To: Stappenbeck, Mark
> Subject: Re: [VoiceOps] SIP Scan
> 
> Are they friendly-scanner?  If so, nothing unusual...
> 
> On 10/28/2011 11:13 AM, Stappenbeck, Mark wrote:
> > Has anyone noticed SIP Invites showing up from IP's in the 91.226.97.0/24
> subnet?
> > Seeing a progessive "scan" targeting our endpoints yesterday and today.
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > VoiceOps mailing list
> > VoiceOps at voiceops.org
> > https://puck.nether.net/mailman/listinfo/voiceops
> 
> --
> Lee Riemer
> Director of Technical Operations
> Bestline Communications, L.P.
> Voice 512.328.9095
> Fax 512.328.9095




More information about the VoiceOps mailing list