Apologies for the cross-posting to lists (VoIPSA + VoiceOPS) but I thought readers would find the information interesting. While not that big of a deal, figured I'd ramble on a bit and make some noise on-list to keep everyone awake/on_yer_toes via way of security/compromises. So one of my Asterisk machines (public facing of course) gets owned yesterday. Its alright with me, its configured with the phorensix honeypot so I'm not concerned it was owned, but a few peculiarities hit me: 1) I had no account named asterisk on the machine 2) Seven unique addresses dialing the same number - all addresses are hosting providers: (cleaned up CDR for clarity) asterisk 00442070661000 default asterisk <asterisk> 50.28.8.166 Playback your-account 2011-03-14 23:57:12 2011-03-14 23:57:13 2011-03-14 23:57:13 1,0 ANSWERED DOCUMENTATION asterisk 00442070661000 default asterisk <asterisk> 216.14.117.32 Playback your-account 2011-03-15 00:34:29 2011-03-15 00:34:30 2011-03-15 00:34:30 1,0 ANSWERED DOCUMENTATION asterisk 011442070661000 default asterisk <asterisk> 69.57.170.30 Playback your-account 2011-03-15 01:51:24 2011-03-15 01:51:25 2011-03-15 01:51:25 1,0 ANSWERED DOCUMENTATION asterisk 900442070661000 default asterisk <asterisk> 174.132.230.26 Playback your-account 2011-03-15 02:30:24 2011-03-15 02:30:25 2011-03-15 02:30:25 1,0 ANSWERED DOCUMENTATION asterisk 9442070661000 default asterisk <asterisk> 174.132.230.26 Playback your-account 2011-03-15 03:47:51 2011-03-15 03:47:52 2011-03-15 03:47:52 1,0 ANSWERED DOCUMENTATION asterisk 000011442070661000 default asterisk <asterisk> 216.14.117.32 Playback your-account 2011-03-15 05:09:12 2011-03-15 05:09:13 2011-03-15 05:09:13 1,0 ANSWERED DOCUMENTATION asterisk 0011442070661000 default asterisk <asterisk> 69.16.243.1 Playback your-account 2011-03-15 05:50:45 2011-03-15 05:50:46 2011-03-15 05:50:46 1,0 ANSWERED DOCUMENTATION asterisk 8011442070661000 default asterisk <asterisk> 67.225.225.68 Playback your-account 2011-03-15 06:33:56 2011-03-15 06:33:57 2011-03-15 06:33:57 1,0 ANSWERED DOCUMENTATION asterisk 0442070661000 default asterisk <asterisk> 205.234.252.143 Playback your-account 2011-03-15 07:17:32 2011-03-15 07:17:33 2011-03-15 07:17:33 1,0 ANSWERED DOCUMENTATION 3) I'm betting this is not automated: First call, fail, second call is made 37 minutes later, fail. Third call comes in 1:17 after the second (fail) with the next call 39 minutes and so on. I thought of the possibility of automation (if, then, else) but the timing between calls make little sense. Wish I had a data munching/crunching application similar to Maltego with telecom capabilities to make sense of some of the endpoints (numbers dialed.) I'm willing to bet a cup of coffee that this is one individual (group) with likely some form of botnet or (pseudo) complex controlling mechanism that initially needs intervention and once set, would spit out thousands of calls. I'm curious to know how many others are seeing "asterisk" in active/passive attacks. I've had clients with ATAs complain "someone is calling me @ 4am with a weird caller ID (asterisk)." Anyone care to shed some light on this potential attack vector. (asterisk) Things to keep in mind on this: I have NO USER named asterisk on that box (not even in my honeypot application) but *somehow*, someone placed a call with that username. Remote exploit maybe, compromised ATA, who knows. Anyhow, They've all become entries for the blacklist for those using the list (vabl). Just wanted to get the info out as I'm leaning towards someone/somegroup with some form of meshed/interlinked C&C of sorts aimed at Asterisk deployments. 50.28.8.166 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 32244 | 50.28.0.0/17 | LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID WEB INC | 011442070661000 216.14.117.32 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 46433 | 216.14.117.0/24 | ADF01 | US | EBOUNDHOST.COM | EBOUNDHOST.COM | 011442070661000 69.57.170.30 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 25653 | 69.57.160.0/19 | FORTRESSITX | US | EMLBASE.ORG | CIRTEX-CORP | 011442070661000 174.132.230.26 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 21844 | 174.132.0.0/15 | THEPLANET-AS | US | THEPLANET.COM | THEPLANET.COM INTERNET SERVICES INC | 011442070661000 174.132.230.26 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 21844 | 174.132.0.0/15 | THEPLANET-AS | US | THEPLANET.COM | THEPLANET.COM INTERNET SERVICES INC | 011442070661000 216.14.117.32 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 46433 | 216.14.117.0/24 | ADF01 | US | EBOUNDHOST.COM | EBOUNDHOST.COM | 011442070661000 69.16.243.1 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 32244 | 69.16.224.0/19 | LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID WEB INC | 011442070661000 67.225.225.68 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 32244 | 67.225.192.0/18 | LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID WEB INC | 011442070661000 205.234.252.143 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7 | 40913 | 205.234.0.0/16 | QTS-SJC-1 | US | HOSTFORWEB.COM | HOSTFORWEB INC | 011442070661000 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF