[AsteriskBrasil] RES: Vulnerabilidade Asterisk

Eder Souza eder.souza em bsd.com.br
Quarta Novembro 4 13:03:23 BRST 2009


Log do Asterisk segue ae para vc ver um ataque massivo chutando users sips,
repare quantos users ele conseguiu chutar em apenas um segundo !!!


uma amostra do log referente ao ataque !!!

[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"0"<sip:0 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"1"<sip:1 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"2"<sip:2 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"3"<sip:3 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"4"<sip:4 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"5"<sip:5 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"6"<sip:6 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"7"<sip:7 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"8"<sip:8 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"9"<sip:9 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"10"<sip:10 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"11"<sip:11 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"12"<sip:12 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"13"<sip:13 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"14"<sip:14 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"15"<sip:15 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"16"<sip:16 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"17"<sip:17 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"18"<sip:18 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"19"<sip:19 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"20"<sip:20 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"21"<sip:21 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"22"<sip:22 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"23"<sip:23 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"24"<sip:24 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"25"<sip:25 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"26"<sip:26 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"27"<sip:27 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"28"<sip:28 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"29"<sip:29 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"30"<sip:30 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"31"<sip:31 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"32"<sip:32 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"33"<sip:33 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"34"<sip:34 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"35"<sip:35 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"36"<sip:36 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"37"<sip:37 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"38"<sip:38 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"39"<sip:39 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"40"<sip:40 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"41"<sip:41 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"42"<sip:42 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"43"<sip:43 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"44"<sip:44 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"45"<sip:45 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"46"<sip:46 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"47"<sip:47 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"48"<sip:48 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"49"<sip:49 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"50"<sip:50 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"51"<sip:51 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"52"<sip:52 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"53"<sip:53 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"54"<sip:54 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"55"<sip:55 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"56"<sip:56 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"57"<sip:57 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"58"<sip:58 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"59"<sip:59 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from '"60"<sip:60 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from '"61"<sip:61 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from '"62"<sip:62 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from '"63"<sip:63 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from '"64"<sip:64 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from '"65"<sip:65 em IP>'
failed for '208.38.164.96' - No matching peer found
[Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from '"66"<sip:66 em IP>'
failed for '208.38.164.96' - No matching peer found



Rastreando o IP do malvado

Hostname:208.38.164.96
ISP:E Solutions Corporation
Organization:LIGHTPORT
Proxy:None detected
Type:Corporate


Geo-Location Information
Country:United States
State/Region:FL
City:Holiday
Latitude:28.1994
Longitude:-82.7681
Area Code:727

[]'s


Eng Eder de Souza
2009/11/4 Luciano Antonio Borguetti Faustino <
lucianoborguetti.listas em gmail.com>

> Eder,
>
> Tentativas de entrada pela porta 5060/udp?
> Qual log seria esse, do seu firewall, do asterisk?
>
> Abraço,
>
> 2009/11/3 eder souza <ederwander em yahoo.com.br>
>
>>   tbm acho q é falha humana, a duas semanas peguei e um log tentativa de
>> entradas pela porta 5060, mas o kra nao obteve sucesso !!!
>>
>> Eng Eder de Souza
>>
>> --- Em *ter, 20/10/09, Zavam, Vinícius <egypcio em secrel.com.br>* escreveu:
>>
>>
>> De: Zavam, Vinícius <egypcio em secrel.com.br>
>> Assunto: Re: [AsteriskBrasil] RES: Vulnerabilidade Asterisk
>>
>> Para: asteriskbrasil em listas.asteriskbrasil.org
>> Data: Terça-feira, 20 de Outubro de 2009, 22:40
>>
>>
>> Citando Josué Conti:
>>
>> > Poderia ser o parâmetro allowguest setado como yes?
>> >
>> > 2009/10/20 Alexandre Ricardo Souza Silva <
>> alexandre em componentizar.com.br<http://br.mc522.mail.yahoo.com/mc/compose?to=alexandre@componentizar.com.br>
>> >:
>> >> Rafael,
>> >>
>> >>                 Teria como vc descrever o seu ambiente, do tipo , o seu
>> >> pbx-ip esta na web ou nao e etc.
>> >>
>> >>                 Fico no aguardo.
>> >>
>> >> Abraço
>> >> Alexandre
>> >>
>> >>
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: Rafael Alves Machado
>> >> To: asteriskbrasil em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil@listas.asteriskbrasil.org>
>> >> Sent: Tuesday, October 20, 2009 5:14 PM
>> >> Subject: [AsteriskBrasil] RES: Vulnerabilidade Asterisk
>> >>
>> >> O ataque foi uma falha na segurança do asterisk alguma coisa com SSL,
>> liguei
>> >> no suporte trixbox no EUA e me passaram isso, utilizo trixbox 2.6.2.2
>> >> Asterisk 1.6 assim que capturar o log eu encaminho, mas é praticamente
>> >> assim, a pessoa invade o servidor consegue criar ramal e efetua
>> diversas
>> >> ligações para todo o mundo, rastreamos o ip que estava acessando e era
>> da
>> >> China, ele conseguiu de alguma forma acessar pela porta 5060  e suas
>> >> derivadas.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Rafael
>> >>
>> >>
>> >>
>> >> De: asteriskbrasil-bounces em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil-bounces@listas.asteriskbrasil.org>
>> >> [mailto:asteriskbrasil-bounces em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil-bounces@listas.asteriskbrasil.org>]
>> Em nome de Roniton
>> >> Rezende Oliveira
>> >> Enviada em: terça-feira, 20 de outubro de 2009 17:21
>> >> Para: asteriskbrasil em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil@listas.asteriskbrasil.org>
>> >> Assunto: Re: [AsteriskBrasil] Vulnerabilidade Asterisk
>> >>
>> >>
>> >>
>> >> Como foi o ataque? Você tem Log!!
>> >> Seu sistema está atualizado?
>> >> Seu firewall está bem configurado?
>> >>
>> >> Roniton Oliveira
>> >>
>> >> 2009/10/20 Giancarlo Rubio <gianrubio em gmail.com<http://br.mc522.mail.yahoo.com/mc/compose?to=gianrubio@gmail.com>
>> >
>> >>
>> >> 2009/10/20 Rafael Alves Machado <rafael em aflsistemas.com.br<http://br.mc522.mail.yahoo.com/mc/compose?to=rafael@aflsistemas.com.br>
>> >:
>> >>
>> >>> Pessoal, passei por um problema a semana passada e esta semana um
>> amigo
>> >>> mesmo passou pelo mesmo problema, um acesso devido a uma falha de
>> >>> segurança
>> >>> do asterisk, permitiu um usuário remoto a acessar o pbx-ip e efetuar
>> >>> ligações para diversos países,  e alem disso criar ramais sip no pbx
>> para
>> >>> efetuar as ligações.
>> >>
>> >> Qual a falha?
>>
>> humana, provavelmente.
>>
>> >>
>> >> --
>> >> Giancarlo Rubio
>>
>> nao estou vendo justificativas plausiveis que me levem a crer o contrario.
>> digo; ate o momento.
>>
>> $ /usr/local/etc/rc.d/flames.sh > /dev/null
>>
>>
>>
>> ---------------------
>> Webmail SecrelNet
>>
>>
>>
>> _______________________________________________
>> http://www.voipmania.com.br
>> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
>> Promoção por tempo limitado!
>> Acesse agora http://promo.voipmania.com.br
>>
>> _______________________________________________
>> Lista de discussões AsteriskBrasil.org
>> AsteriskBrasil em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=AsteriskBrasil@listas.asteriskbrasil.org>
>> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>>
>>
>> __________________________________________________
>> Fale com seus amigos de graça com o novo Yahoo! Messenger
>> http://br.messenger.yahoo.com/
>>
>>
>> _______________________________________________
>> http://www.voipmania.com.br
>> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
>> Promoção por tempo limitado!
>> Acesse agora http://promo.voipmania.com.br
>>
>> _______________________________________________
>> Lista de discussões AsteriskBrasil.org
>> AsteriskBrasil em listas.asteriskbrasil.org
>> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>>
>
>
>
> --
> #!/bin/bash
>
> Luciano Antonio Borguetti Faustino
> GNU/Linux user number: 339110
> ICQ UIN number: 82092097 - ICQ ainda na atividade :)
> http://lucianoborguetti.blogspot.com
>
> Preconceito é opinião sem conhecimento.
>
> :wq
>
>
> _______________________________________________
> http://www.voipmania.com.br
> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
> Promoção por tempo limitado!
> Acesse agora http://promo.voipmania.com.br
>
> _______________________________________________
> Lista de discussões AsteriskBrasil.org
> AsteriskBrasil em listas.asteriskbrasil.org
> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20091104/c0ab8818/attachment-0001.htm 


Mais detalhes sobre a lista de discussão AsteriskBrasil