They are probably creating a list of potential victims. Anything replying SIP on port 5060 gets added. Then you get the (not so)friendly-scanner. Lee Riemer
-----Original Message----- From: Stappenbeck, Mark [mailto:MStappenbeck at allworx.com] Sent: Friday, October 28, 2011 11:27 AM To: Lee Riemer Cc: VoiceOps Subject: RE: [VoiceOps] SIP Scan
Can't say, just noticed multiple event logs from our PBX's across the country receiving a single invite (which we reject as not trusted), and then it moves on.
Happened to have 4 servers in a /29 and saw it hit them in IP sequence, then was sent some logs from a server from yesterday, and the source IP was in the same octet as the other 4 servers.
Thanks Lee -Mark S
Mark Stappenbeck Senior Manager, Technical Support Allworx 300 Main Street East Rochester, NY 14445 585-421-5508 Office (585) 421-3853 Fax mstappenbeck at allworx.com www.allworx.com
-----Original Message----- From: Lee Riemer [mailto:lriemer at bestline.net] Sent: Friday, October 28, 2011 12:21 PM To: Stappenbeck, Mark Subject: Re: [VoiceOps] SIP Scan
Are they friendly-scanner? If so, nothing unusual...
On 10/28/2011 11:13 AM, Stappenbeck, Mark wrote:
Has anyone noticed SIP Invites showing up from IP's in the 91.226.97.0/24 subnet? Seeing a progessive "scan" targeting our endpoints yesterday and today.
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- Lee Riemer Director of Technical Operations Bestline Communications, L.P. Voice 512.328.9095 Fax 512.328.9095