[Spce-user] server hacked

sipwise at ics-il.net sipwise at ics-il.net
Sat Apr 27 07:44:31 EDT 2013 

Dang it, not used to how this list operates (replies go directly to the person, not the list). 

I've been thinking of coming up with a script for my Mikrotik routers that detect a given number of packets per second of a given type destined towards my servers, then firewall it off when it exceeds that. SIP isn't an overly chatty protocol, so a given IP shouldn't have say more than 100 packets per second from a valid client, but would from someone trying to break in. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

----- Original Message -----

From: "Matthew Ogden" <matthew at tenacit.net> 
To: "Pedro Guillem" <pedro.guillem at gmail.com> 
Cc: "spce-user" <spce-user at lists.sipwise.com> 
Sent: Saturday, April 27, 2013 5:37:57 AM 
Subject: Re: [Spce-user] server hacked 



The attack came from a A class that we allow, but actually isn’t in our area. (the block is not continuous). 

SSH was being hammered as well from a different IP, but it never authenticated, it stopped at Apr 26 19:25:18 spce sshd[31518]: Failed password for root from then. 
I don’t understand why the IDs of the transactions are so much shorter with no @. 
I also don’t understand, if they had compromised the system and knew the authentication details, why would they first try use the wrong username? (Almost instantly followed by the right username). There was a previous attempy before that did authenticate: 
Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request - M=REGISTER R=sip: sip.tenacit.net F= sip:WS001A002 at sip.tenacit.net T= sip:WS001A002 at sip.tenacit.net IP= 198.38.93.188:10052 ( 127.0.0.1:5060 ) ID=cd730f13b37e5f53 
Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>: Authentication failed, no credentials - R=sip: sip.tenacit.net ID=cd730f13b37e5f53 
Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: New request - M=REGISTER R=sip: sip.tenacit.net F= sip:WS001A002 at sip.tenacit.net T= sip:WS001A002 at sip.tenacit.net IP= 198.38.93.188:10052 ( 127.0.0.1:5060 ) ID=cd730f13b37e5f53 
Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip: sip.tenacit.net ID=cd730f13b37e5f53 
Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip: sip.tenacit.net ID=cd730f13b37e5f53 
Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri ' sip:WS001A002 at sip.tenacit.net ' - R=sip: sip.tenacit.net ID=cd730f13b37e5f53 
Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Contacts successfully saved - R=sip: sip.tenacit.net ID=cd730f13b37e5f53 
2 minutes before, the client device fails to get to the registration part with credentials. Those credentials are still in the device (we manage it). 
I seriously do not understand how this has taken place. But it appears the 2 minutes before where the client device is failing to register was part of the attack. Is there any sort of spoofing that can be used make the authentication details process packets land up somewhere else? 
Would like to get to the bottom of how they got the password on their first attempt, so any advice is greatly appreciated. 






From: Pedro Guillem [mailto: pedro.guillem at gmail.com ] 
Sent: 27 April 2013 12:05 AM 
To: Matthew Ogden 
Cc: spce-user 
Subject: Re: [Spce-user] server hacked 


Creepy! 



You can allways block the IP with iptables.. but that obviously will not solve the problem. 



I´m very new at this, but: 



1) have you tried limiting the IP addresses of your suscribers? Are they dynamic? 

2) Did you look at other logs? /var/log/auth.conf /var/log/messages to seek for other vectors of attack? 

3) Have you tried using mysql injection on the ngcp web sites?, i´m sure the sipwise folks did not miss something as essential as this, but it´s worth a try. 

4) are your sip passwords strong enought? 



I would take it from there. 



Regards 

Pedro 



On Fri, Apr 26, 2013 at 4:55 PM, Matthew Ogden < matthew at tenacit.net > wrote: 


Hi 

My server has been hacked…. I’m not sure how. 

There were no IPs/Users in Security bans. 

Here is the proxy log, I’ve replaced my domain <mydomain> and the real client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in. 


root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log 
Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 ( 127.0.0.1:5060 ) ID= 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0 
Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID= 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0 
Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 ( 127.0.0.1:5060 ) ID= 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0 
Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID= 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0 
Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID= 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0 
Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID= 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0 
Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID= 63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0 
Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP= 198.38.93.188:10053 ( 127.0.0.1:5060 ) ID=ba701808665abe0f 
Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=ba701808665abe0f 
Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP= 198.38.93.188:10053 ( 127.0.0.1:5060 ) ID=ba701808665abe0f 
Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f 
Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP= 198.38.93.188:10053 ( 127.0.0.1:5060 ) ID=df4767364b3ca13b 
Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=df4767364b3ca13b 
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP= 198.38.93.188:10053 ( 127.0.0.1:5060 ) ID=df4767364b3ca13b 
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=df4767364b3ca13b 
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID=df4767364b3ca13b 
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b 
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID=df4767364b3ca13b 

Sincerely 


_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 

_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130427/d460e675/attachment-0001.html>

More information about the Spce-user mailing list