For those looking for a different type of blacklist or at least one that makes sense, please be sure to browse the VoIP Abuse Black List as things are a slightly different now. VABL looks up an attacker's information via Shadowserver's lookup and appends three new fields: type of attacker, address and the letters VABL (so one can know where and how it ended up on being blacklisted) and a number dialed (when appropriate.) The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it. Here are three entries, a COM (someone who accessed a honeypot with a valid account), a bruteforcer and an ADN (an attacker who accessed a compromised account and tried to place a call the number dialed is pre-pended) 85.214.23.191 | COM | VABL | 6724 | 85.214.0.0/16 | STRATO | DE | STRATOSERVER.NET | STRATO RECHENZENTRUM BERLIN 41.232.96.220 | ADN | VABL | 8452 | 41.232.96.0/22 | TE | EG | TEDATA.NET | AFRINIC | 011251912121891 93.126.35.12 | BRU | VABL | 44375 | 93.126.0.0/18 | AISDP | IR | - | ASMANFARAZ SEPAHAN ISDP Anyhow, the list is maintained as a text file and is updated accordingly (once per day depending on my schedule). VABL explained: http://www.infiltrated.net/index.php?option=com_content&view=article&id=17&I... VABL list http://www.infiltrated.net/vabl.txt Potential scripting... wget -qO - infiltrated.net/vabl.txt|\ grep [0-9] | awk '{print "insert your favorite firewall rule against this whole netblock "$9}' wget -qO - infiltrated.net/vabl.txt|\ grep [0-9] | awk '{print "insert your favorite firewall rule against this one host "$9}' Depending on one's POV, COM and ADNs are the ones to keep an eye one. These are actually making connections as opposed to checking if a door is opened. I know I've stated it before, typically I see this: bruteforce --> fire off sipvicious looking for an account attacker --> logs into an account (this IP is RARELY if ever in any bruteforce logs) What I find sort of funny is that today I see an attacker I guess doing research: (attacker trying to make a call to 0112522200044) 41.34.68.219 | ADN | VABL | 8452 | 41.32.0.0/12 | TE | EG | - | TE DATA | 0112522200044 Attacker researching I guess asterisk + voip + security or so $ awk '/host-41.34.68.219.tedata.net/{print $1,$4,$5,$6,$7,$8,$9,$11}' access_log | head -n 1 host-41.34.68.219.tedata.net [17/Jan/2011:13:50:46 -0600] "GET /asterisk-ips.html HTTP/1.1" 200 "http://voipsecurityblog.typepad.com/marks_voip_security_blog/2009/07/a-scrip..." -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Hello Very Nice info. Recently we have been hit by the attackers during the weekend causing more than 100 K USD bill They were dialing payphone type numbers" dial to win" by compromsing one of our DID number. Mostly calls were placed to Lithuania, and sierraleone. I wish I could see your article before, atleast I would have tried to put some restrctions. But guys buckle up, there are some gangs using sophisticated mechanisms to get into IP PBX systems Remove all NAT with local IPs, block SIP ports and h.323 ports, if u r using cisco upgrade to v15.12T. add trusted gateway list. Aali -------------------------------------------------- From: "J. Oquendo" <sil at infiltrated.net> Sent: Monday, January 17, 2011 11:39 PM To: <VoiceOps at voiceops.org> Subject: [VoiceOps] VoIP Abuse Take Two (or three, maybe even 4-5)
For those looking for a different type of blacklist or at least one that makes sense, please be sure to browse the VoIP Abuse Black List as things are a slightly different now. VABL looks up an attacker's information via Shadowserver's lookup and appends three new fields: type of attacker, address and the letters VABL (so one can know where and how it ended up on being blacklisted) and a number dialed (when appropriate.)
The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it.
Here are three entries, a COM (someone who accessed a honeypot with a valid account), a bruteforcer and an ADN (an attacker who accessed a compromised account and tried to place a call the number dialed is pre-pended)
85.214.23.191 | COM | VABL | 6724 | 85.214.0.0/16 | STRATO | DE | STRATOSERVER.NET | STRATO RECHENZENTRUM BERLIN 41.232.96.220 | ADN | VABL | 8452 | 41.232.96.0/22 | TE | EG | TEDATA.NET | AFRINIC | 011251912121891 93.126.35.12 | BRU | VABL | 44375 | 93.126.0.0/18 | AISDP | IR | - | ASMANFARAZ SEPAHAN ISDP
Anyhow, the list is maintained as a text file and is updated accordingly (once per day depending on my schedule).
VABL explained: http://www.infiltrated.net/index.php?option=com_content&view=article&id=17&I...
VABL list http://www.infiltrated.net/vabl.txt
Potential scripting...
wget -qO - infiltrated.net/vabl.txt|\ grep [0-9] | awk '{print "insert your favorite firewall rule against this whole netblock "$9}'
wget -qO - infiltrated.net/vabl.txt|\ grep [0-9] | awk '{print "insert your favorite firewall rule against this one host "$9}'
Depending on one's POV, COM and ADNs are the ones to keep an eye one. These are actually making connections as opposed to checking if a door is opened. I know I've stated it before, typically I see this:
bruteforce --> fire off sipvicious looking for an account attacker --> logs into an account (this IP is RARELY if ever in any bruteforce logs)
What I find sort of funny is that today I see an attacker I guess doing research: (attacker trying to make a call to 0112522200044)
41.34.68.219 | ADN | VABL | 8452 | 41.32.0.0/12 | TE | EG | - | TE DATA | 0112522200044
Attacker researching I guess asterisk + voip + security or so $ awk '/host-41.34.68.219.tedata.net/{print $1,$4,$5,$6,$7,$8,$9,$11}' access_log | head -n 1
host-41.34.68.219.tedata.net [17/Jan/2011:13:50:46 -0600] "GET /asterisk-ips.html HTTP/1.1" 200 "http://voipsecurityblog.typepad.com/marks_voip_security_blog/2009/07/a-scrip..."
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Getting back to this topic...How does the list get updated (shadowerslookup?) Can we report IPs..? Any new update on this front as hackers are getting more sophisticated... -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Monday, January 17, 2011 1:39 PM To: VoiceOps at voiceops.org Subject: [VoiceOps] VoIP Abuse Take Two (or three, maybe even 4-5) For those looking for a different type of blacklist or at least one that makes sense, please be sure to browse the VoIP Abuse Black List as things are a slightly different now. VABL looks up an attacker's information via Shadowserver's lookup and appends three new fields: type of attacker, address and the letters VABL (so one can know where and how it ended up on being blacklisted) and a number dialed (when appropriate.) The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it. Here are three entries, a COM (someone who accessed a honeypot with a valid account), a bruteforcer and an ADN (an attacker who accessed a compromised account and tried to place a call the number dialed is pre-pended) 85.214.23.191 | COM | VABL | 6724 | 85.214.0.0/16 | STRATO | DE | STRATOSERVER.NET | STRATO RECHENZENTRUM BERLIN 41.232.96.220 | ADN | VABL | 8452 | 41.232.96.0/22 | TE | EG | TEDATA.NET | AFRINIC | 011251912121891 93.126.35.12 | BRU | VABL | 44375 | 93.126.0.0/18 | AISDP | IR | - | ASMANFARAZ SEPAHAN ISDP Anyhow, the list is maintained as a text file and is updated accordingly (once per day depending on my schedule). VABL explained: http://www.infiltrated.net/index.php?option=com_content&view=article&id=17&I... VABL list http://www.infiltrated.net/vabl.txt Potential scripting... wget -qO - infiltrated.net/vabl.txt|\ grep [0-9] | awk '{print "insert your favorite firewall rule against this whole netblock "$9}' wget -qO - infiltrated.net/vabl.txt|\ grep [0-9] | awk '{print "insert your favorite firewall rule against this one host "$9}' Depending on one's POV, COM and ADNs are the ones to keep an eye one. These are actually making connections as opposed to checking if a door is opened. I know I've stated it before, typically I see this: bruteforce --> fire off sipvicious looking for an account attacker --> logs into an account (this IP is RARELY if ever in any bruteforce logs) What I find sort of funny is that today I see an attacker I guess doing research: (attacker trying to make a call to 0112522200044) 41.34.68.219 | ADN | VABL | 8452 | 41.32.0.0/12 | TE | EG | - | TE DATA | 0112522200044 Attacker researching I guess asterisk + voip + security or so $ awk '/host-41.34.68.219.tedata.net/{print $1,$4,$5,$6,$7,$8,$9,$11}' access_log | head -n 1 host-41.34.68.219.tedata.net [17/Jan/2011:13:50:46 -0600] "GET /asterisk-ips.html HTTP/1.1" 200 "http://voipsecurityblog.typepad.com/marks_voip_security_blog/2009/07/a-scrip..." -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (3)
-
ahjawad@hotmail.com -
sil@infiltrated.net -
ujjval@simplesignal.com