[Spce-user] fraud vulnerability
Matthew Ogden
matthew at tenacit.net
Tue Jan 7 08:00:33 EST 2020
Hi All
Had some fraud occur last night,
The registration happened as follows, note user 108 does not exist. but
"VALIDUSER" does,
Jan 7 04:05:59 sip2 lb[20140]: NOTICE: <script>: New request on lb -
M=REGISTER R=sip:<1.publicIPOfOurs> F=sip:108@<1.publicIPOfOurs>
T=sip:108@<1.publicIPOfOurs>
IP=udp:41.57.140.160:6180 ID=fb17c3515b0e3437 UA='LOLO'
DESTIP=<1.publicIPOfOurs>:5060
Jan 7 04:05:59 sip2 lb[20141]: NOTICE: <script>: New request on lb -
M=REGISTER R=sip:<1.publicIPOfOurs> F=sip:108@<1.publicIPOfOurs>
T=sip:108@<1.publicIPOfOurs>
IP=udp:41.57.140.160:6180 ID=fb17c3515b0e3437 UA='LOLO'
DESTIP=<1.publicIPOfOurs>:5060
Jan 7 04:06:06 sip2 lb[20145]: NOTICE: <script>: New request on lb -
M=REGISTER R=sip:<1.publicIPOfOurs>
F=sip:<validUserOfOurs>@<1.publicIPOfOurs>
T=sip:<validUserOfOurs>@<1.publicIPOfOurs> IP=udp:41.57.140.160:6180
ID=8b236c12a87d4a0d UA='LOLO' DESTIP=<1.publicIPOfOurs>:5060
To me, the alarming part is, there was no brute force, it was just an
immediate hack. Yet moments before, they didnt even know the right username
to try. There is exists no provisioning or anything like that either, its
just 2 tries on an invalid users, and then an immediate successful hit on
a valid user, and 20 seconds later it starts making call attempts.
any advice welcome
Kind Regards
--
*Matthew Ogden*
Management
TenacIT
*Strategic IT Consulting *•* Advanced Networking *• *Virtualisation*
*Custom Development *• *Hosting *• *Syspro Support *• *MS Licensing*
National Tel: 041 10 10 100 | Cell: 084 205 4445 | Email:
matthew at tenacit.net
CT Tel: 021 201 0333 | Skype Name: matthew.ogden | Web:
http://www.tenacit.net
ᐧ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20200107/abb58dcb/attachment.html>
More information about the Spce-user
mailing list