Phone scan using LAN ip's

firewall
Tags: #<Tag:0x00007f7024fe03d0>

#1

I have a very strange kind of hacking attempt
Fail2Ban and iptables shows IP 62.138.3.130 as blocked, however, looks like is trying (impersonating?) different extensions using different local LAN valid addresses. Looks like the PBX is hacked but… where and how?
My pbx IP is 192.168.1.163
This is partially screenshot from ‘snrep’ (awesome tool)

  [ ] 2    INVITE     2311@192.168.1.228:5060   +441613940186@192.168.1.2 1     62.138.3.130:51852     192.168.1.228:5060     CALL SETUP
  [ ] 5    INVITE     2311@192.168.1.228:5060   011441613940186@192.168.1 1     62.138.3.130:51432     192.168.1.228:5060     CALL SETUP
  [ ] 6    INVITE     2311@192.168.1.228:5060   9011441613940186@192.168. 1     62.138.3.130:52816     192.168.1.228:5060     CALL SETUP
  [ ] 8    INVITE     2311@192.168.1.228:5060   8011441613940186@192.168. 1     62.138.3.130:54918     192.168.1.228:5060     CALL SETUP
  [ ] 10   INVITE     2311@192.168.1.228:5060   00441613940186@192.168.1. 1     62.138.3.130:57027     192.168.1.228:5060     CALL SETUP
  [ ] 12   INVITE     2311@192.168.1.228:5060   .011441613940186@192.168. 1     62.138.3.130:59124     192.168.1.228:5060     CALL SETUP

#2

sngrep uses libpcap, which monitors incoming traffic ahead of iptables (and outgoing traffic after iptables). The INVITES you posted were blocked and are completely harmless, unless you are getting so many that they exhaust your bandwidth or CPU resources.


#3

if you are unsettled by this,

a) report the IP to godaddy (pointless)
b) don’t use UDP/5060 as your SIP access point


#4

That won’t help unless the OP also blocks UDP 5060 with his hardware firewall. sngrep will see the request whether or not Asterisk is listening to the port or is even running.


#5

True, but even the most troglodyte bot will eventually let it’s handler know there is ‘no one home’ at this address and move on. (that’s just how they do this shit) The guys from Iceland/Holland/Eastern Europe will still ping 5060 every n units of time though, but never from the same host


#6

you are right, there is no record of this attempts on asterisk.
my fail2ban setting allow one bad attempt and block the ip for a full day.
thanks


(Lorne Gaetz) #7

You can actually see that in the data you shared form sngrep:

  [ ] 5    INVITE     2311@192.168.1.228:5060   011441613940186@192.168.1 1     62.138.3.130:51432     192.168.1.228:5060     CALL SETUP

We don’t have column headings, but in the Msgs column (5th column), we can see they are all 1’s, meaning the SIP dialog is nothing more than a single inbound packet, Asterisk did not respond. Compare that to a legit INVITE from an extension, and you will see the Msgs count increment for each packet back and forth.