[Spce-user] fraud vulnerability

Alex Lutay alutay at sipwise.com
Thu Jan 9 11:39:09 EST 2020


Hi,

It looks like you/someone posted SIP logs and/or
SIP credentials somewhere and some "hacker" tried the
first one, no luck, then the second one -> win.

I am not aware of such kamailio leakage possibility.

As an advice, try to google your IP/FQDN + username 108,
most probably google/shodan have indexed them already.

On 1/7/20 2:00 PM, Matthew Ogden via Spce-user wrote:
> Had some fraud occur last night,
> 
> The registration happened as follows, note user  108 does not exist. but
> "VALIDUSER" does,
> 
> Jan  7 04:05:59 sip2 lb[20140]: NOTICE: <script>: New request on lb -
> M=REGISTER R=sip:<1.publicIPOfOurs> F=sip:108@<1.publicIPOfOurs>
> T=sip:108@<1.publicIPOfOurs> IP=udp:41.57.140.160:6180
> <http://41.57.140.160:6180> ID=fb17c3515b0e3437 UA='LOLO'
> DESTIP=<1.publicIPOfOurs>:5060
> Jan  7 04:05:59 sip2 lb[20141]: NOTICE: <script>: New request on lb -
> M=REGISTER R=sip:<1.publicIPOfOurs> F=sip:108@<1.publicIPOfOurs>
> T=sip:108@<1.publicIPOfOurs> IP=udp:41.57.140.160:6180
> <http://41.57.140.160:6180> ID=fb17c3515b0e3437 UA='LOLO'
> DESTIP=<1.publicIPOfOurs>:5060
> Jan  7 04:06:06 sip2 lb[20145]: NOTICE: <script>: New request on lb -
> M=REGISTER R=sip:<1.publicIPOfOurs>
> F=sip:<validUserOfOurs>@<1.publicIPOfOurs>
> T=sip:<validUserOfOurs>@<1.publicIPOfOurs> IP=udp:41.57.140.160:6180
> <http://41.57.140.160:6180> ID=8b236c12a87d4a0d UA='LOLO'
> DESTIP=<1.publicIPOfOurs>:5060
> 
> To me, the alarming part is, there was no brute force, it was just an
> immediate hack. Yet moments before, they didnt even know the right
> username to try. There is exists no provisioning or anything like that
> either, its just 2 tries on an invalid users,  and then an immediate
> successful hit on a valid user, and 20 seconds later it starts making
> call attempts.
> 
> any advice welcome

-- 
Alex Lutay




More information about the Spce-user mailing list