[App_rpt-users] App_rpt-users Digest, Vol 52, Issue 31

Bill Hurlock bill.hurlock at cpcomms.com
Fri Jul 12 17:05:00 EDT 2013


Ones  I had problems with were coming from a small island in Japan. Every time they would get close to finding my SIP phone number I would move it. I was playing with them for a while. Once I got tired I just moved the SIP port and haven't had a problem since. I wanted to watch their search method for a while before I killed them off. Both of them used a different approach to discovery.

Bill Hurlock

From: Jim Duuuude [mailto:telesistant at hotmail.com]
Sent: Friday, July 12, 2013 1:21 PM
To: Dwaine Garden VE3GIF; Bill Hurlock
Cc: app_rpt mailing list
Subject: RE: [App_rpt-users] App_rpt-users Digest, Vol 52, Issue 31

Before you start accusing people of "hacking from China", remember that most of these SIP
'probing' attacks (where they go through a 'list' of extensions to see if they 'get a call through')
are 'done' from systems that, themselves, were compromised.

Certainly, a good number of them seem to come from a Chinese-type location, but I have seen
others "infected" with this problem in a number of places other then China, including, in one case,
here in the US, and it was "attacking" a system on the same ISP (gee, that was "easy" to
"find and fix").

Another one I had to "deal with" (also here in the US) ironically was itself a SIP server/gateway
(*not* on port 5060), that got "compromised" to run "attack scripts" to other servers on port 5060.
As you can see, irony can be very ironic sometimes :-).

Perhaps China is a good place for these "hackers" to find systems that are run by people
that are unaware of "what's happening" with them.

In any case, since these "scripts" seem to only be "interested" in SIP servers running on port 5060,
changing the port seems to be a REALLY good way to "not have the problem anymore".

Jim
> Date: Fri, 12 Jul 2013 13:07:06 -0400
> From: DwaineGarden at rogers.com<mailto:DwaineGarden at rogers.com>
> To: bill.hurlock at cpcomms.com<mailto:bill.hurlock at cpcomms.com>
> CC: app_rpt-users at ohnosec.org<mailto:app_rpt-users at ohnosec.org>
> Subject: Re: [App_rpt-users] App_rpt-users Digest, Vol 52, Issue 31
>
> I'm going to try that... The hackers from China keep pounding the server non stop.
>
> Bill Hurlock <bill.hurlock at cpcomms.com<mailto:bill.hurlock at cpcomms.com>> wrote:
>
> >I had the same problem and the solution I used, because I use SIP, was to change the default SIP port to a non standard port which stopped all the bogus junk from happening.
> >
> >Bill Hurlock
> >
> >-----Original Message-----
> >From: app_rpt-users-bounces at ohnosec.org<mailto:app_rpt-users-bounces at ohnosec.org> [mailto:app_rpt-users-bounces at ohnosec.org] On Behalf Of app_rpt-users-request at ohnosec.org<mailto:app_rpt-users-request at ohnosec.org>
> >Sent: Sunday, June 23, 2013 6:43 PM
> >To: app_rpt-users at ohnosec.org<mailto:app_rpt-users at ohnosec.org>
> >Subject: App_rpt-users Digest, Vol 52, Issue 31
> >
> >Send App_rpt-users mailing list submissions to
> > app_rpt-users at ohnosec.org<mailto:app_rpt-users at ohnosec.org>
> >
> >To subscribe or unsubscribe via the World Wide Web, visit
> > http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> >or, via email, send a message with subject or body 'help' to
> > app_rpt-users-request at ohnosec.org<mailto:app_rpt-users-request at ohnosec.org>
> >
> >You can reach the person managing the list at
> > app_rpt-users-owner at ohnosec.org<mailto:app_rpt-users-owner at ohnosec.org>
> >
> >When replying, please edit your Subject line so it is more specific than "Re: Contents of App_rpt-users digest..."
> >_______________________________________________
> >App_rpt-users mailing list
> >App_rpt-users at ohnosec.org<mailto:App_rpt-users at ohnosec.org>
> >http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org<mailto:App_rpt-users at ohnosec.org>
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.allstarlink.org/pipermail/app_rpt-users/attachments/20130712/7778e6e1/attachment.html>


More information about the App_rpt-users mailing list