Phone scan using LAN ip's

Tags: #<Tag:0x00007f7024fe03d0>


I have a very strange kind of hacking attempt
Fail2Ban and iptables shows IP as blocked, however, looks like is trying (impersonating?) different extensions using different local LAN valid addresses. Looks like the PBX is hacked but… where and how?
My pbx IP is
This is partially screenshot from ‘snrep’ (awesome tool)

  [ ] 2    INVITE     2311@   +441613940186@ 1     CALL SETUP
  [ ] 5    INVITE     2311@   011441613940186@192.168.1 1     CALL SETUP
  [ ] 6    INVITE     2311@   9011441613940186@192.168. 1     CALL SETUP
  [ ] 8    INVITE     2311@   8011441613940186@192.168. 1     CALL SETUP
  [ ] 10   INVITE     2311@   00441613940186@192.168.1. 1     CALL SETUP
  [ ] 12   INVITE     2311@   .011441613940186@192.168. 1     CALL SETUP


sngrep uses libpcap, which monitors incoming traffic ahead of iptables (and outgoing traffic after iptables). The INVITES you posted were blocked and are completely harmless, unless you are getting so many that they exhaust your bandwidth or CPU resources.


if you are unsettled by this,

a) report the IP to godaddy (pointless)
b) don’t use UDP/5060 as your SIP access point


That won’t help unless the OP also blocks UDP 5060 with his hardware firewall. sngrep will see the request whether or not Asterisk is listening to the port or is even running.


True, but even the most troglodyte bot will eventually let it’s handler know there is ‘no one home’ at this address and move on. (that’s just how they do this shit) The guys from Iceland/Holland/Eastern Europe will still ping 5060 every n units of time though, but never from the same host


you are right, there is no record of this attempts on asterisk.
my fail2ban setting allow one bad attempt and block the ip for a full day.

(Lorne Gaetz) #7

You can actually see that in the data you shared form sngrep:

  [ ] 5    INVITE     2311@   011441613940186@192.168.1 1     CALL SETUP

We don’t have column headings, but in the Msgs column (5th column), we can see they are all 1’s, meaning the SIP dialog is nothing more than a single inbound packet, Asterisk did not respond. Compare that to a legit INVITE from an extension, and you will see the Msgs count increment for each packet back and forth.