<div dir="ltr">Thanks for the reply! Any logs from PBXNSIP/LifeSize?<div><br></div><div>Also, have you ever done INVITE floods (and other INVITE tricks) etc on that PBX? I haven't so I'm wondering if this is simply the case of someone running svwar.py with INVITE method or a similar tool. I've seen a rise in that sort of thing lately. </div>
</div><div class="gmail_extra"><br clear="all"><div>Sandro Gauci<br>Penetration tester and security researcher<br>Email: <a href="mailto:sandro@enablesecurity.com" target="_blank">sandro@enablesecurity.com</a><br>Web: <a href="http://enablesecurity.com/" target="_blank">http://enablesecurity.com/</a><br>
PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C</div>
<br><br><div class="gmail_quote">On Tue, Nov 26, 2013 at 7:40 PM, J. Oquendo <span dir="ltr"><<a href="mailto:sil@infiltrated.net" target="_blank">sil@infiltrated.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Tue, 26 Nov 2013, Sandro Gauci wrote:<br>
<br>
> Hey J,<br>
><br>
> can you describe what you're seeing please? E.g. Is it a system compromise,<br>
> toll fraud or DoS (or none of these?:) )<br>
><br>
> Feel free to post the response to the lists or privately to me.<br>
><br>
> cheers,<br>
><br>
><br>
<br>
</div>Yo what's going on Sandro... Will post to list so that<br>
others may be able to chime in if they've seen similar.<br>
<br>
Unsure what was happening since we had to get systems up and<br>
running "right now" since they were live systems with a mess<br>
of users on them (give or take 1000,1500 users). This is<br>
all I can say...<br>
<br>
Yesterday morning, client who uses a PBXNSIP based system<br>
calls: "Can't make calls, receive calls." Not a big deal,<br>
reload software, sometimes it acts up. Ten minutes later,<br>
another client using PBXNSIP calls with the same issue,<br>
followed by 2-5 systems within a half an hour of one<br>
another.<br>
<br>
lsof | grep -i snom showed there were a lot of connections<br>
via http and SIP to various addresses in Europe (.it, .de<br>
and a few others). No one was connected out there. I could<br>
not do packet captures because clients were complaining<br>
so my ultimate reflex was an antitoll script I wrote which<br>
blocks ALL but ARIN based (North American) networks.<br>
<br>
This solved the problem on PBXNSIP. Minutes later, some of<br>
my LifeSize videoconferencing units started making phantom<br>
calls to extensions. The username was Test() via the<br>
LifeSize, but I could not perform a packet capture on that<br>
either.<br>
<br>
We didn't see any bursts of traffic, e.g., N_amount of<br>
excess bandwidth coming in, so DDoS was out of the question<br>
and I am always abusing (vulnscanning, webscanning, hitting<br>
up) my PBXs, but I have yet to ever make one unresponsive.<br>
So I am lost as to what occurred. Had I to guess what<br>
happened to PBXNSIP... Maybe some bad packetjuju forced it<br>
to crash (because it was down for the count). Mind you, this<br>
ONLY affected PBXs running PBXNSIP.<br>
<br>
Wish I knew anything more than "that was some bad packetry"<br>
but I'm stumped.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+<br>
J. Oquendo<br>
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM<br>
<br>
"Where ignorance is our master, there is no possibility of<br>
real peace" - Dalai Lama<br>
<br>
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF</a><br>
</div></div></blockquote></div><br></div>