[App_rpt-users] App_rpt-users Digest, Vol 52, Issue 31

Jim Duuuude telesistant at hotmail.com
Fri Jul 12 13:21:20 EDT 2013

Before you start accusing people of "hacking from China", remember that most of these SIP
'probing' attacks (where they go through a 'list' of extensions to see if they 'get a call through')
are 'done' from systems that, themselves, were compromised. 

Certainly, a good number of them seem to come from a Chinese-type location, but I have seen 
others "infected" with this problem in a number of places other then China, including, in one case,
here in the US, and it was "attacking" a system on the same ISP (gee, that was "easy" to 
"find and fix").

Another one I had to "deal with" (also here in the US) ironically was itself a SIP server/gateway
(*not* on port 5060), that got "compromised" to run "attack scripts" to other servers on port 5060.
As you can see, irony can be very ironic sometimes :-).

Perhaps China is a good place for these "hackers" to find systems that are run by people
that are unaware of "what's happening" with them.

In any case, since these "scripts" seem to only be "interested" in SIP servers running on port 5060,
changing the port seems to be a REALLY good way to "not have the problem anymore".


> Date: Fri, 12 Jul 2013 13:07:06 -0400
> From: DwaineGarden at rogers.com
> To: bill.hurlock at cpcomms.com
> CC: app_rpt-users at ohnosec.org
> Subject: Re: [App_rpt-users] App_rpt-users Digest, Vol 52, Issue 31
> I'm going to try that...  The hackers from China keep pounding the server non stop.  
> Bill Hurlock <bill.hurlock at cpcomms.com> wrote:
> >I had the same problem and the solution I used, because I use SIP, was to change the default SIP port to a non standard port which stopped all the bogus junk from happening.
> >
> >Bill Hurlock
> >
> >-----Original Message-----
> >From: app_rpt-users-bounces at ohnosec.org [mailto:app_rpt-users-bounces at ohnosec.org] On Behalf Of app_rpt-users-request at ohnosec.org
> >Sent: Sunday, June 23, 2013 6:43 PM
> >To: app_rpt-users at ohnosec.org
> >Subject: App_rpt-users Digest, Vol 52, Issue 31
> >
> >Send App_rpt-users mailing list submissions to
> >	app_rpt-users at ohnosec.org
> >
> >To subscribe or unsubscribe via the World Wide Web, visit
> >	http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> >or, via email, send a message with subject or body 'help' to
> >	app_rpt-users-request at ohnosec.org
> >
> >You can reach the person managing the list at
> >	app_rpt-users-owner at ohnosec.org
> >
> >When replying, please edit your Subject line so it is more specific than "Re: Contents of App_rpt-users digest..."
> >_______________________________________________
> >App_rpt-users mailing list
> >App_rpt-users at ohnosec.org
> >http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.allstarlink.org/pipermail/app_rpt-users/attachments/20130712/32b06499/attachment.html>

More information about the App_rpt-users mailing list