<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang="EN-ZA" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The attack came from a A class that we allow, but actually isn’t in our area. (the block is not continuous). </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">SSH was being hammered as well from a different IP, but it never authenticated, it stopped at Apr 26 19:25:18 spce sshd[31518]: Failed password for root from then.</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I don’t understand why the IDs of the transactions are so much shorter with no @.</span></p><p class="MsoNormal" style>
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I also don’t understand, if they had compromised the system and knew the authentication details, why would they first try use the wrong username? (Almost instantly followed by the right username). There was a previous attempy before that did authenticate: </span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request - M=REGISTER R=sip:<a href="http://sip.tenacit.net">sip.tenacit.net</a> F=<a href="mailto:sip%3AWS001A002@sip.tenacit.net">sip:WS001A002@sip.tenacit.net</a> T=<a href="mailto:sip%3AWS001A002@sip.tenacit.net">sip:WS001A002@sip.tenacit.net</a> IP=<a href="http://198.38.93.188:10052">198.38.93.188:10052</a> (<a href="http://127.0.0.1:5060">127.0.0.1:5060</a>) ID=cd730f13b37e5f53</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>: Authentication failed, no credentials - R=sip:<a href="http://sip.tenacit.net">sip.tenacit.net</a> ID=cd730f13b37e5f53</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: New request - M=REGISTER R=sip:<a href="http://sip.tenacit.net">sip.tenacit.net</a> F=<a href="mailto:sip%3AWS001A002@sip.tenacit.net">sip:WS001A002@sip.tenacit.net</a> T=<a href="mailto:sip%3AWS001A002@sip.tenacit.net">sip:WS001A002@sip.tenacit.net</a> IP=<a href="http://198.38.93.188:10052">198.38.93.188:10052</a> (<a href="http://127.0.0.1:5060">127.0.0.1:5060</a>) ID=cd730f13b37e5f53</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<a href="http://sip.tenacit.net">sip.tenacit.net</a> ID=cd730f13b37e5f53</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<a href="http://sip.tenacit.net">sip.tenacit.net</a> ID=cd730f13b37e5f53</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri '<a href="mailto:sip%3AWS001A002@sip.tenacit.net">sip:WS001A002@sip.tenacit.net</a>' - R=sip:<a href="http://sip.tenacit.net">sip.tenacit.net</a> ID=cd730f13b37e5f53</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Contacts successfully saved - R=sip:<a href="http://sip.tenacit.net">sip.tenacit.net</a> ID=cd730f13b37e5f53</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">2 minutes before, the client device fails to get to the registration part with credentials. Those credentials are still in the device (we manage it). </span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I seriously do not understand how this has taken place. But it appears the 2 minutes before where the client device is failing to register was part of the attack. Is there any sort of spoofing that can be used make the authentication details process packets land up somewhere else?</span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Would like to get to the bottom of how they got the password on their first attempt, so any advice is greatly appreciated. </span></p>
<p class="MsoNormal" style><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt"><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Pedro Guillem [mailto:<a href="mailto:pedro.guillem@gmail.com">pedro.guillem@gmail.com</a>] <br>
<b>Sent:</b> 27 April 2013 12:05 AM<br><b>To:</b> Matthew Ogden<br><b>Cc:</b> spce-user<br><b>Subject:</b> Re: [Spce-user] server hacked</span></p></div></div><p class="MsoNormal"> </p><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Creepy!</span></p>
<div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">You can allways block the IP with iptables.. but that obviously will not solve the problem.</span></p>
</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I´m very new at this, but: </span></p>
</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">1) have you tried limiting the IP addresses of your suscribers? Are they dynamic?</span></p>
</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2) Did you look at other logs? /var/log/auth.conf /var/log/messages to seek for other vectors of attack?</span></p>
</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">3) Have you tried using mysql injection on the ngcp web sites?, i´m sure the sipwise folks did not miss something as essential as this, but it´s worth a try.</span></p>
</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">4) are your sip passwords strong enought?</span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span></p>
</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I would take it from there.</span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span></p>
</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Regards</span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Pedro </span></p>
</div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"> </p><div><p class="MsoNormal">On Fri, Apr 26, 2013 at 4:55 PM, Matthew Ogden <<a href="mailto:matthew@tenacit.net" target="_blank">matthew@tenacit.net</a>> wrote:</p>
<div><div><p class="MsoNormal" style>Hi </p><p class="MsoNormal" style> </p><p class="MsoNormal" style>My server has been hacked…. I’m not sure how.</p><p class="MsoNormal" style> </p><p class="MsoNormal" style>There were no IPs/Users in Security bans. </p>
<p class="MsoNormal" style> </p><p class="MsoNormal" style>Here is the proxy log, I’ve replaced my domain <mydomain> and the real client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.</p><p class="MsoNormal" style>
</p><p class="MsoNormal" style> </p><p class="MsoNormal" style>root@spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log</p><p class="MsoNormal" style>Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal" style>Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal" style>Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal" style>Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal" style>Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal" style>Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal" style>Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal" style>Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=ba701808665abe0f</p>
<p class="MsoNormal" style>Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=ba701808665abe0f</p><p class="MsoNormal" style>Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=ba701808665abe0f</p>
<p class="MsoNormal" style>Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f</p><p class="MsoNormal" style>Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=df4767364b3ca13b</p>
<p class="MsoNormal" style>Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal" style>Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=df4767364b3ca13b</p>
<p class="MsoNormal" style>Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal" style>
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal" style>Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b</p>
<p class="MsoNormal" style>Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal" style> </p><p class="MsoNormal" style>
Sincerely</p><p class="MsoNormal" style> </p></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>Spce-user mailing list<br><a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><br>
<a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a></p></div><p class="MsoNormal"> </p></div></div></div></body></html>