[Spce-user] server hacked

Pedro Guillem pedro.guillem at gmail.com
Fri Apr 26 18:04:53 EDT 2013 

Creepy!

You can allways block the IP with iptables.. but that obviously will not
solve the problem.

I´m very new at this, but:

1) have you tried limiting the IP addresses of your suscribers? Are they
dynamic?
2) Did you look at other logs? /var/log/auth.conf /var/log/messages to seek
for other vectors of attack?
3) Have you tried using mysql injection on the ngcp web sites?, i´m sure
the sipwise folks did not miss something as essential as this, but it´s
worth a try.
4) are your sip passwords strong enought?

I would take it from there.

Regards
Pedro


On Fri, Apr 26, 2013 at 4:55 PM, Matthew Ogden <matthew at tenacit.net> wrote:

> Hi
>
>
>
> My server has been hacked…. I’m not sure how.
>
>
>
> There were no IPs/Users in Security bans.
>
>
>
> Here is the proxy log, I’ve replaced my domain <mydomain>  and the real
> client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.
>
>
>
>
>
> root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request
> - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
> 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain> ID=
> 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request
> - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
> 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs
> for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=
> 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain> ID=
> 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller
> preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
> of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=
> 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain> ID=
> 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request
> - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053 (127.0.0.1:5060)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request
> - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053 (127.0.0.1:5060)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
> Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request
> - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053 (127.0.0.1:5060)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request
> - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053 (127.0.0.1:5060)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs
> for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller
> preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
> of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain> ID=df4767364b3ca13b
>
>
>
> Sincerely
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130426/8b46ea85/attachment-0001.html>

More information about the Spce-user mailing list