Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.
What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)
INVITE sip:email@example.com;transport=udp SIP/2.0
Via: SIP/2.0/UDP 126.96.36.199:3916;branch=110100101110100010101\
CSeq: 1 INVITE
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS,
PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
o=- 16264 18299 IN IP4 the.honeypot.ip
s=CounterPath eyeBeam 1.5
c=IN IP4 the.honeypot.ip
m=audio 34222 RTP/AVP 18 0 8 101
- Hide quoted text -
And no, it is definely not “CounterPath eyeBeam 1.5″ but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.
Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.
the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)
And this is just the beginning…. so secure your VoIP servers!
content originally written on the blog usken.no by Sjur Usken