Author |
Message |
n2a1ce Brekeke Addict
Joined: 06 Dec 2010 Posts: 29
Location: Ukraine
|
Posted: Thu Feb 24, 2011 5:37 am Post subject: Attention! hackers attack! please help |
|
|
1. Brekeke Product Name and version: 2.4.7.0
2. Java version: 6. 22
3. OS type and the version: ubuntu 10.04
4. UA (phone), gateway or other hardware/software involved:
audiocodes mp118, sip-phones
5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/networkpatterns.html :
6. Your problem:HELP! on my PBX were registered users (hackers), although theirs accounts were not registered on the PBX. how can I avoid this next time. |
|
Back to top |
|
n2a1ce Brekeke Addict
Joined: 06 Dec 2010 Posts: 29
Location: Ukraine
|
Posted: Thu Feb 24, 2011 5:39 am Post subject: |
|
|
Code: |
http://img404.imageshack.us/i/screenshot9wn.png/
http://img651.imageshack.us/i/screenshot10zt.png/
http://img84.imageshack.us/i/15653734.jpg/ |
|
|
Back to top |
|
Haddas Brekeke Guru
Joined: 17 Jan 2008 Posts: 170
|
|
Back to top |
|
Haddas Brekeke Guru
Joined: 17 Jan 2008 Posts: 170
|
Posted: Thu Feb 24, 2011 2:07 pm Post subject: |
|
|
From your screen-shots, an attacker is using the tool called "friendly-scanner".
Enable the REGISTER/INVITE authentication immediately.
Also add the following DialPlan rule.
Matching Patterns | User-Agent = friendly-scanner|sundayddr
| Deploy Patterns | $response = 603
|
|
|
Back to top |
|
rachel Brekeke Junior Member
Joined: 04 Dec 2009 Posts: 7
Location: US
|
Posted: Thu Mar 31, 2011 12:04 pm Post subject: |
|
|
Hi,
I am researching on this security issue and see that sipvicious states that the user agent is now "Asterisk PBX" instead of "friendly-scanner". When I look into my log, I see both of these names in there. Should I use the same method to block "Asterisk PBX" as well?
Also, Could you please show me how to change the admin user name?
I follow the instruction in the Section 8 Security to make this dial plan but it's not working. Could you please let me know why?
$request=^INVITE
$port=(.+)
$addr=(.+)
$registeredaddr(From)=!%1:%2
$action=403
Thank you, |
|
Back to top |
|
taitan Brekeke Master Guru
Joined: 15 Mar 2008 Posts: 237
|
|
Back to top |
|
|