[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed

Matt Yaklin myaklin at g4.net
Fri Nov 1 15:33:27 EDT 2013


They are not over lapping.

The attacker finally bit just a bit ago. I only was running
tcpdump on port 5060 on the edgemarc but i captured the SIP
traffic for what the attacker is doing. I wish I had setup
more.


I blocked international via an auth code right now...

x.x.139.225 = WAN ethernet port of the Edgemarc.

I am going through this now and if anyone can help I would
greatly appreciate it. I need to find out why this is happening.



-----------------------
-----------------------
-----------------------
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
REGISTER sip:x.x.139.225 SIP/2.0
To: <sip:1001 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=e26e273f
Via: SIP/2.0/UDP 
176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
Call-ID: b161d8122d506908
CSeq: 1 REGISTER
Contact: <sip:1001 at 176.58.68.20:10181>
Expires: 3600
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
User-Agent: eyeBeam release 3007n stamp 17816
Cont
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
BYE sip:14734050085 at x.x.139.225:5060 SIP/2.0
To: <sip:14734050085 at x.x.139.225>;tag=6516fea2
From: <sip:1001 at x.x.139.225>;tag=214bbc47
Via: SIP/2.0/UDP 
176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport
Call-ID: 346c8a3823657575
CSeq: 2 BYE
Route: <sip:14734050085 at x.x.139.225;lr>
Contact: <sip:1001 at 176.58.68.20:10189>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE,
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 
176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060
Record-Route: <sip:14734050085 at x.x.139.225;lr>
From: <sip:1001 at x.x.139.225>;tag=214bbc47
To: <sip:14734050085 at x.x.139.225>;tag=6516fea2
Call-ID: 346c8a3823657575
CSeq: 2 BYE
Contact: <sip:14734050085 at x.x.139.225:5060>
User-agent: fxo/1.0
Content-Length: 0


<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
  [tos 0xb8]
19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
INVITE sip:14734050088 at x.x.139.225 SIP/2.0
To: <sip:14734050088 at x.x.139.225>
From: <sip:1001 at x.x.139.225>;tag=d909f80a
Via: SIP/2.0/UDP 
176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport
Call-ID: 2b6a574f323db602
CSeq: 1 INVITE
Contact: <sip:1001 at 176.58.68.20:10189>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<

19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 
176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
From: <sip:1001 at x.x.139.225>;tag=d909f80a
To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
Call-ID: 2b6a574f323db602
CSeq: 1 INVITE
User-agent: fxo/1.0
Content-Length: 0


<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
  [tos 0xb8]
19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 
176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
Record-Route: <sip:14734050088 at x.x.139.225;lr>
From: <sip:1001 at x.x.139.225>;tag=d909f80a
To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
Call-ID: 2b6a574f323db602
CSeq: 1 INVITE
Contact: <sip:14734050088 at x.x.139.225:5060>
User-agent: fxo/1.0
Content-Length: 0


<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
  [tos 0xb8]
19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 
176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
Record-Route: <sip:14734050088 at x.x.139.225;lr>
From: <sip:1001 at x.x.139.225>;tag=d909f80a
To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
Call-ID: 2b6a574f323db602
CSeq: 1 INVITE
Contact: <sip:14734050088 at x.x.139.225:5060>
User-agent: fxo/1.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE
Content-Type: application/sdp
Content-Leng
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
  [tos 0xb8]
19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060:
>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
ACK sip:14734050088 at x.x.139.225:5060 SIP/2.0
To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
From: <sip:1001 at x.x.139.225>;tag=d909f80a
Via: SIP/2.0/UDP 
176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport
Call-ID: 2b6a574f323db602
CSeq: 1 ACK
Route: <sip:14734050088 at x.x.139.225;lr>
Contact: <sip:1001 at 176.58.68.20:10189>
Max-Forwards: 70
User-Agent: eyeBeam release 3007n stamp 17816
Content-Length: 0


<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<


---------------
--------------
------------

On Fri, 1 Nov 2013, Jay Hennigan wrote:

> On 11/1/13 12:04 PM, Matt Yaklin wrote:
>>
>> Approx 60-70 calls.
>
> If more than one overlapping you can rule out the physical FXO port.
>
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>


More information about the VoiceOps mailing list