Phone scan using LAN ip's

I have a very strange kind of hacking attempt
Fail2Ban and iptables shows IP 62.138.3.130 as blocked, however, looks like is trying (impersonating?) different extensions using different local LAN valid addresses. Looks like the PBX is hacked but… where and how?
My pbx IP is 192.168.1.163
This is partially screenshot from ‘snrep’ (awesome tool)

  [ ] 2    INVITE     [email protected]:5060   [email protected] 1     62.138.3.130:51852     192.168.1.228:5060     CALL SETUP
  [ ] 5    INVITE     [email protected]:5060   [email protected] 1     62.138.3.130:51432     192.168.1.228:5060     CALL SETUP
  [ ] 6    INVITE     [email protected]:5060   [email protected] 1     62.138.3.130:52816     192.168.1.228:5060     CALL SETUP
  [ ] 8    INVITE     [email protected]:5060   [email protected] 1     62.138.3.130:54918     192.168.1.228:5060     CALL SETUP
  [ ] 10   INVITE     [email protected]:5060   [email protected] 1     62.138.3.130:57027     192.168.1.228:5060     CALL SETUP
  [ ] 12   INVITE     [email protected]:5060   [email protected] 1     62.138.3.130:59124     192.168.1.228:5060     CALL SETUP

sngrep uses libpcap, which monitors incoming traffic ahead of iptables (and outgoing traffic after iptables). The INVITES you posted were blocked and are completely harmless, unless you are getting so many that they exhaust your bandwidth or CPU resources.

1 Like

if you are unsettled by this,

a) report the IP to godaddy (pointless)
b) don’t use UDP/5060 as your SIP access point

That won’t help unless the OP also blocks UDP 5060 with his hardware firewall. sngrep will see the request whether or not Asterisk is listening to the port or is even running.

True, but even the most troglodyte bot will eventually let it’s handler know there is ‘no one home’ at this address and move on. (that’s just how they do this shit) The guys from Iceland/Holland/Eastern Europe will still ping 5060 every n units of time though, but never from the same host

you are right, there is no record of this attempts on asterisk.
my fail2ban setting allow one bad attempt and block the ip for a full day.
thanks

You can actually see that in the data you shared form sngrep:

  [ ] 5    INVITE     [email protected]:5060   [email protected] 1     62.138.3.130:51432     192.168.1.228:5060     CALL SETUP

We don’t have column headings, but in the Msgs column (5th column), we can see they are all 1’s, meaning the SIP dialog is nothing more than a single inbound packet, Asterisk did not respond. Compare that to a legit INVITE from an extension, and you will see the Msgs count increment for each packet back and forth.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.