[Spce-user] server hacked

Andreas Granig agranig at sipwise.com
Sat Apr 27 10:49:34 EDT 2013


Hi,

Was it one specific subscriber, or are more subscribers affected? Do you 
see something obvious (registration or call attempts from suspicious ip 
addresses) over the last few weeks, or did it really break the 
subscriber with just a couple attempts?

And on a generic note: how do you know it's been "hacked"? What is 
different with this subscriber? Only the source ip? Does the subscriber 
know or somehow has access to the sip credentials (either getting them 
in any case, or probably managed to get access to the EMTA/UA where the 
credentials are configured)?

Andreas

On 04/26/2013 11:55 PM, Matthew Ogden wrote:
> Hi
>
> My server has been hacked…. I’m not sure how.
>
> There were no IPs/Users in Security bans.
>
> Here is the proxy log, I’ve replaced my domain <mydomain>  and the real
> client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.
>
> root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> domain> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
> Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> domain> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain> ID=df4767364b3ca13b
>
> Sincerely
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>




More information about the Spce-user mailing list