[Spce-user] server hacked
Andreas Granig
agranig at sipwise.com
Sat Apr 27 10:49:34 EDT 2013
Hi,
Was it one specific subscriber, or are more subscribers affected? Do you
see something obvious (registration or call attempts from suspicious ip
addresses) over the last few weeks, or did it really break the
subscriber with just a couple attempts?
And on a generic note: how do you know it's been "hacked"? What is
different with this subscriber? Only the source ip? Does the subscriber
know or somehow has access to the sip credentials (either getting them
in any case, or probably managed to get access to the EMTA/UA where the
credentials are configured)?
Andreas
On 04/26/2013 11:55 PM, Matthew Ogden wrote:
> Hi
>
> My server has been hacked…. I’m not sure how.
>
> There were no IPs/Users in Security bans.
>
> Here is the proxy log, I’ve replaced my domain <mydomain> and the real
> client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.
>
> root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> domain> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
> Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> domain> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain> ID=df4767364b3ca13b
>
> Sincerely
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
More information about the Spce-user
mailing list