Cannot block hacking attempts

dotcom · September 5, 2019, 10:31pm

Hello,

I’m unable to block malicious SIP INVITES to my box.
Via sngrep, I see the following packet coming in:

INVITE sip:00441519470451@mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP 77.247.110.65:62393;branch=z9hG4bK1998065274
Max-Forwards: 70
From: sip:16@mypbxipaddress;tag=432918223
To: sip:00441519470451@mypbxipaddress
Call-ID: 2058906050-1389826825-1470979558
CSeq: 1 INVITE
Contact: sip:[email protected]:62393
Content-Type: application/sdp
Content-Length: 206

I already tried adding the line below to my iptables script, but no luck:
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP

Thanks for your urgent help!

dotcom · September 5, 2019, 10:36pm

More info:

The IP 77.247.110.65 (hacker’s IP?), which is seen in the Contact header is blocked by my iptables… So I assume they are spoofing “mypbxipaddress”.

dicko · September 5, 2019, 10:41pm

sngrep sees traffic before your firewall, if there is more than one ‘message’ you need to tighten up your firewall if only the one,you got it done already. (you met our buddy from Iceland. he, will NEVER EVER EVER give up )

dotcom · September 5, 2019, 10:45pm

Hello Dicko,

It’s not only one unfortunately… I’m getting spammed by these kind of invites.

Here is another one:

INVITE sip:00441519470451@ mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP 77.247.110.65:60785;branch=z9hG4bK1068000655
Max-Forwards: 70
From: <sip:1400@ mypbxipaddress>;tag=1477072440
To: <sip:00441519470451@ mypbxipaddress>
Call-ID: 1558839286-1416956875-1934806265
CSeq: 1 INVITE
Contact: sip:[email protected]:60785
Content-Type: application/sdp
Content-Length: 208

How can I know my specific iptables rule is working?
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP

dicko · September 5, 2019, 10:46pm

just drop all connections from 77.247.110.0/24

dotcom · September 5, 2019, 10:49pm

You are fast

I just added: $IPT -A INPUT --src 77.247.110.0/24 -j DROP

I didn’t know sngrep is seeing the traffic before iptables… So it’s normal the INVITES are still showing after I applied the new rule?

dicko · September 5, 2019, 10:57pm

You do now

dotcom · September 5, 2019, 11:01pm

Thanks a lot for your help! I can enjoy my good night sleep now

dicko · September 5, 2019, 11:06pm

You can block it at your edge firewall if you have one, otherwise it will be there until somebody stops that AHole

dicko · September 6, 2019, 12:03am

Lets all

while true ;do echo effU|mail [email protected];done &

NorColorNorName · September 6, 2019, 7:29am

Drop all connections from 77.247.110.0/24 , 77.247.109.0/24 , 77.247.108.0/24

This is from the same bot service

dotcom · September 6, 2019, 9:53am

Ok, thanks guys! Let’s indeed ask the whole FreePBX community to start the script Dicko suggested

system · September 13, 2019, 9:53am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.