Attention! hackers attack! please help

[n2a1ce]

1. Brekeke Product Name and version: 2.4.7.0

2. Java version: 6. 22

3. OS type and the version: ubuntu 10.04

4. UA (phone), gateway or other hardware/software involved:
audiocodes mp118, sip-phones

5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/ ... terns.html :

6. Your problem:HELP! on my PBX were registered users (hackers), although theirs accounts were not registered on the PBX. how can I avoid this next time.

[n2a1ce]

Code: Select all

http://img404.imageshack.us/i/screenshot9wn.png/
http://img651.imageshack.us/i/screenshot10zt.png/
http://img84.imageshack.us/i/15653734.jpg/

[Haddas]

http://wiki.brekeke.com/wiki/How-to-Pro ... SIP-Attack
http://wiki.brekeke.com/wiki/Avoid-attacks
http://wiki.brekeke.com/wiki/Security

[Haddas]

From your screen-shots, an attacker is using the tool called "friendly-scanner".

Enable the REGISTER/INVITE authentication immediately.

Also add the following DialPlan rule.
---------------------------------------
[Matching Patterns:]
User-Agent = friendly-scanner|sundayddr

[Deploy Patterns:]
$response = 603
----------------------------------------

[rachel]

Hi,
I am researching on this security issue and see that sipvicious states that the user agent is now "Asterisk PBX" instead of "friendly-scanner". When I look into my log, I see both of these names in there. Should I use the same method to block "Asterisk PBX" as well?
Also, Could you please show me how to change the admin user name?

I follow the instruction in the Section 8 Security to make this dial plan but it's not working. Could you please let me know why?

$request=^INVITE
$port=(.+)
$addr=(.+)
$registeredaddr(From)=!%1:%2

$action=403

Thank you,

[taitan]

Use "$registeredsender".
http://wiki.brekeke.com/wiki/Reject-non ... llers-call