[Spce-user] fraud vulnerability
Alex Lutay
alutay at sipwise.com
Thu Jan 9 11:39:09 EST 2020
Hi,
It looks like you/someone posted SIP logs and/or
SIP credentials somewhere and some "hacker" tried the
first one, no luck, then the second one -> win.
I am not aware of such kamailio leakage possibility.
As an advice, try to google your IP/FQDN + username 108,
most probably google/shodan have indexed them already.
On 1/7/20 2:00 PM, Matthew Ogden via Spce-user wrote:
> Had some fraud occur last night,
>
> The registration happened as follows, note user 108 does not exist. but
> "VALIDUSER" does,
>
> Jan 7 04:05:59 sip2 lb[20140]: NOTICE: <script>: New request on lb -
> M=REGISTER R=sip:<1.publicIPOfOurs> F=sip:108@<1.publicIPOfOurs>
> T=sip:108@<1.publicIPOfOurs> IP=udp:41.57.140.160:6180
> <http://41.57.140.160:6180> ID=fb17c3515b0e3437 UA='LOLO'
> DESTIP=<1.publicIPOfOurs>:5060
> Jan 7 04:05:59 sip2 lb[20141]: NOTICE: <script>: New request on lb -
> M=REGISTER R=sip:<1.publicIPOfOurs> F=sip:108@<1.publicIPOfOurs>
> T=sip:108@<1.publicIPOfOurs> IP=udp:41.57.140.160:6180
> <http://41.57.140.160:6180> ID=fb17c3515b0e3437 UA='LOLO'
> DESTIP=<1.publicIPOfOurs>:5060
> Jan 7 04:06:06 sip2 lb[20145]: NOTICE: <script>: New request on lb -
> M=REGISTER R=sip:<1.publicIPOfOurs>
> F=sip:<validUserOfOurs>@<1.publicIPOfOurs>
> T=sip:<validUserOfOurs>@<1.publicIPOfOurs> IP=udp:41.57.140.160:6180
> <http://41.57.140.160:6180> ID=8b236c12a87d4a0d UA='LOLO'
> DESTIP=<1.publicIPOfOurs>:5060
>
> To me, the alarming part is, there was no brute force, it was just an
> immediate hack. Yet moments before, they didnt even know the right
> username to try. There is exists no provisioning or anything like that
> either, its just 2 tries on an invalid users, and then an immediate
> successful hit on a valid user, and 20 seconds later it starts making
> call attempts.
>
> any advice welcome
--
Alex Lutay
More information about the Spce-user
mailing list