On Tue, 26 Nov 2013, Sandro Gauci wrote:
Hey J,
can you describe what you're seeing please? E.g. Is it a system compromise, toll fraud or DoS (or none of these?:) )
Feel free to post the response to the lists or privately to me.
cheers,
Yo what's going on Sandro... Will post to list so that others may be able to chime in if they've seen similar. Unsure what was happening since we had to get systems up and running "right now" since they were live systems with a mess of users on them (give or take 1000,1500 users). This is all I can say... Yesterday morning, client who uses a PBXNSIP based system calls: "Can't make calls, receive calls." Not a big deal, reload software, sometimes it acts up. Ten minutes later, another client using PBXNSIP calls with the same issue, followed by 2-5 systems within a half an hour of one another. lsof | grep -i snom showed there were a lot of connections via http and SIP to various addresses in Europe (.it, .de and a few others). No one was connected out there. I could not do packet captures because clients were complaining so my ultimate reflex was an antitoll script I wrote which blocks ALL but ARIN based (North American) networks. This solved the problem on PBXNSIP. Minutes later, some of my LifeSize videoconferencing units started making phantom calls to extensions. The username was Test() via the LifeSize, but I could not perform a packet capture on that either. We didn't see any bursts of traffic, e.g., N_amount of excess bandwidth coming in, so DDoS was out of the question and I am always abusing (vulnscanning, webscanning, hitting up) my PBXs, but I have yet to ever make one unresponsive. So I am lost as to what occurred. Had I to guess what happened to PBXNSIP... Maybe some bad packetjuju forced it to crash (because it was down for the count). Mind you, this ONLY affected PBXs running PBXNSIP. Wish I knew anything more than "that was some bad packetry" but I'm stumped. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Thanks for the reply! Any logs from PBXNSIP/LifeSize? Also, have you ever done INVITE floods (and other INVITE tricks) etc on that PBX? I haven't so I'm wondering if this is simply the case of someone running svwar.py with INVITE method or a similar tool. I've seen a rise in that sort of thing lately. Sandro Gauci Penetration tester and security researcher Email: sandro at enablesecurity.com Web: http://enablesecurity.com/ PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C On Tue, Nov 26, 2013 at 7:40 PM, J. Oquendo <sil at infiltrated.net> wrote:
On Tue, 26 Nov 2013, Sandro Gauci wrote:
Hey J,
can you describe what you're seeing please? E.g. Is it a system compromise, toll fraud or DoS (or none of these?:) )
Feel free to post the response to the lists or privately to me.
cheers,
Yo what's going on Sandro... Will post to list so that others may be able to chime in if they've seen similar.
Unsure what was happening since we had to get systems up and running "right now" since they were live systems with a mess of users on them (give or take 1000,1500 users). This is all I can say...
Yesterday morning, client who uses a PBXNSIP based system calls: "Can't make calls, receive calls." Not a big deal, reload software, sometimes it acts up. Ten minutes later, another client using PBXNSIP calls with the same issue, followed by 2-5 systems within a half an hour of one another.
lsof | grep -i snom showed there were a lot of connections via http and SIP to various addresses in Europe (.it, .de and a few others). No one was connected out there. I could not do packet captures because clients were complaining so my ultimate reflex was an antitoll script I wrote which blocks ALL but ARIN based (North American) networks.
This solved the problem on PBXNSIP. Minutes later, some of my LifeSize videoconferencing units started making phantom calls to extensions. The username was Test() via the LifeSize, but I could not perform a packet capture on that either.
We didn't see any bursts of traffic, e.g., N_amount of excess bandwidth coming in, so DDoS was out of the question and I am always abusing (vulnscanning, webscanning, hitting up) my PBXs, but I have yet to ever make one unresponsive. So I am lost as to what occurred. Had I to guess what happened to PBXNSIP... Maybe some bad packetjuju forced it to crash (because it was down for the count). Mind you, this ONLY affected PBXs running PBXNSIP.
Wish I knew anything more than "that was some bad packetry" but I'm stumped.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
participants (2)
-
sandro@enablesecurity.com -
sil@infiltrated.net