[AsteriskBrasil] RES: Vulnerabilidade Asterisk

Ciro Brandão ciro em uwc32.com.br
Quarta Novembro 4 13:24:22 BRST 2009 

http://208.38.164.96 foi realmente um ataque ou algum administrador que
utilizou uma configuração errada no seu painel?

Pelo que eu esto vendo é um painel que se conectou ou pelo menus tentou se
conectar a um servidor errado.


At.,

Ciro


2009/11/4 Eder Souza <eder.souza em bsd.com.br>

> Log do Asterisk segue ae para vc ver um ataque massivo chutando users sips,
> repare quantos users ele conseguiu chutar em apenas um segundo !!!
>
>
> uma amostra do log referente ao ataque !!!
>
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"0"<sip:0 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"1"<sip:1 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"2"<sip:2 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"3"<sip:3 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"4"<sip:4 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"5"<sip:5 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"6"<sip:6 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"7"<sip:7 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"8"<sip:8 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from '"9"<sip:9 em IP>'
> failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"10"<sip:10 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"11"<sip:11 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"12"<sip:12 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"13"<sip:13 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"14"<sip:14 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"15"<sip:15 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"16"<sip:16 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"17"<sip:17 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"18"<sip:18 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"19"<sip:19 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"20"<sip:20 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"21"<sip:21 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"22"<sip:22 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"23"<sip:23 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"24"<sip:24 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"25"<sip:25 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"26"<sip:26 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"27"<sip:27 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"28"<sip:28 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"29"<sip:29 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"30"<sip:30 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"31"<sip:31 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"32"<sip:32 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"33"<sip:33 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"34"<sip:34 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"35"<sip:35 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"36"<sip:36 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"37"<sip:37 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"38"<sip:38 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"39"<sip:39 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"40"<sip:40 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"41"<sip:41 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"42"<sip:42 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"43"<sip:43 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"44"<sip:44 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"45"<sip:45 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"46"<sip:46 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"47"<sip:47 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"48"<sip:48 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"49"<sip:49 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"50"<sip:50 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"51"<sip:51 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"52"<sip:52 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"53"<sip:53 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"54"<sip:54 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"55"<sip:55 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"56"<sip:56 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"57"<sip:57 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"58"<sip:58 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:26] NOTICE[2751] chan_sip.c: Registration from
> '"59"<sip:59 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from
> '"60"<sip:60 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from
> '"61"<sip:61 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from
> '"62"<sip:62 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from
> '"63"<sip:63 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from
> '"64"<sip:64 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from
> '"65"<sip:65 em IP>' failed for '208.38.164.96' - No matching peer found
> [Oct 12 09:31:27] NOTICE[2751] chan_sip.c: Registration from
> '"66"<sip:66 em IP>' failed for '208.38.164.96' - No matching peer found
>
>
>
> Rastreando o IP do malvado
>
> Hostname:208.38.164.96
> ISP:E Solutions Corporation
> Organization:LIGHTPORT
> Proxy:None detected
> Type:Corporate
>
>
> Geo-Location Information
> Country:United States
> State/Region:FL
> City:Holiday
> Latitude:28.1994
> Longitude:-82.7681
> Area Code:727
>
> []'s
>
>
> Eng Eder de Souza
> 2009/11/4 Luciano Antonio Borguetti Faustino <
> lucianoborguetti.listas em gmail.com>
>
>> Eder,
>>
>> Tentativas de entrada pela porta 5060/udp?
>> Qual log seria esse, do seu firewall, do asterisk?
>>
>> Abraço,
>>
>> 2009/11/3 eder souza <ederwander em yahoo.com.br>
>>
>>>   tbm acho q é falha humana, a duas semanas peguei e um log tentativa de
>>> entradas pela porta 5060, mas o kra nao obteve sucesso !!!
>>>
>>> Eng Eder de Souza
>>>
>>> --- Em *ter, 20/10/09, Zavam, Vinícius <egypcio em secrel.com.br>*escreveu:
>>>
>>>
>>> De: Zavam, Vinícius <egypcio em secrel.com.br>
>>> Assunto: Re: [AsteriskBrasil] RES: Vulnerabilidade Asterisk
>>>
>>> Para: asteriskbrasil em listas.asteriskbrasil.org
>>> Data: Terça-feira, 20 de Outubro de 2009, 22:40
>>>
>>>
>>> Citando Josué Conti:
>>>
>>> > Poderia ser o parâmetro allowguest setado como yes?
>>> >
>>> > 2009/10/20 Alexandre Ricardo Souza Silva <
>>> alexandre em componentizar.com.br<http://br.mc522.mail.yahoo.com/mc/compose?to=alexandre@componentizar.com.br>
>>> >:
>>> >> Rafael,
>>> >>
>>> >>                 Teria como vc descrever o seu ambiente, do tipo , o
>>> seu
>>> >> pbx-ip esta na web ou nao e etc.
>>> >>
>>> >>                 Fico no aguardo.
>>> >>
>>> >> Abraço
>>> >> Alexandre
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> ----- Original Message -----
>>> >> From: Rafael Alves Machado
>>> >> To: asteriskbrasil em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil@listas.asteriskbrasil.org>
>>> >> Sent: Tuesday, October 20, 2009 5:14 PM
>>> >> Subject: [AsteriskBrasil] RES: Vulnerabilidade Asterisk
>>> >>
>>> >> O ataque foi uma falha na segurança do asterisk alguma coisa com SSL,
>>> liguei
>>> >> no suporte trixbox no EUA e me passaram isso, utilizo trixbox 2.6.2.2
>>> >> Asterisk 1.6 assim que capturar o log eu encaminho, mas é praticamente
>>> >> assim, a pessoa invade o servidor consegue criar ramal e efetua
>>> diversas
>>> >> ligações para todo o mundo, rastreamos o ip que estava acessando e era
>>> da
>>> >> China, ele conseguiu de alguma forma acessar pela porta 5060  e suas
>>> >> derivadas.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Rafael
>>> >>
>>> >>
>>> >>
>>> >> De: asteriskbrasil-bounces em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil-bounces@listas.asteriskbrasil.org>
>>> >> [mailto:asteriskbrasil-bounces em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil-bounces@listas.asteriskbrasil.org>]
>>> Em nome de Roniton
>>> >> Rezende Oliveira
>>> >> Enviada em: terça-feira, 20 de outubro de 2009 17:21
>>> >> Para: asteriskbrasil em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=asteriskbrasil@listas.asteriskbrasil.org>
>>> >> Assunto: Re: [AsteriskBrasil] Vulnerabilidade Asterisk
>>> >>
>>> >>
>>> >>
>>> >> Como foi o ataque? Você tem Log!!
>>> >> Seu sistema está atualizado?
>>> >> Seu firewall está bem configurado?
>>> >>
>>> >> Roniton Oliveira
>>> >>
>>> >> 2009/10/20 Giancarlo Rubio <gianrubio em gmail.com<http://br.mc522.mail.yahoo.com/mc/compose?to=gianrubio@gmail.com>
>>> >
>>> >>
>>> >> 2009/10/20 Rafael Alves Machado <rafael em aflsistemas.com.br<http://br.mc522.mail.yahoo.com/mc/compose?to=rafael@aflsistemas.com.br>
>>> >:
>>> >>
>>> >>> Pessoal, passei por um problema a semana passada e esta semana um
>>> amigo
>>> >>> mesmo passou pelo mesmo problema, um acesso devido a uma falha de
>>> >>> segurança
>>> >>> do asterisk, permitiu um usuário remoto a acessar o pbx-ip e efetuar
>>> >>> ligações para diversos países,  e alem disso criar ramais sip no pbx
>>> para
>>> >>> efetuar as ligações.
>>> >>
>>> >> Qual a falha?
>>>
>>> humana, provavelmente.
>>>
>>> >>
>>> >> --
>>> >> Giancarlo Rubio
>>>
>>> nao estou vendo justificativas plausiveis que me levem a crer o
>>> contrario.
>>> digo; ate o momento.
>>>
>>> $ /usr/local/etc/rc.d/flames.sh > /dev/null
>>>
>>>
>>>
>>> ---------------------
>>> Webmail SecrelNet
>>>
>>>
>>>
>>> _______________________________________________
>>> http://www.voipmania.com.br
>>> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
>>> Promoção por tempo limitado!
>>> Acesse agora http://promo.voipmania.com.br
>>>
>>> _______________________________________________
>>> Lista de discussões AsteriskBrasil.org
>>> AsteriskBrasil em listas.asteriskbrasil.org<http://br.mc522.mail.yahoo.com/mc/compose?to=AsteriskBrasil@listas.asteriskbrasil.org>
>>> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>>>
>>>
>>> __________________________________________________
>>> Fale com seus amigos de graça com o novo Yahoo! Messenger
>>> http://br.messenger.yahoo.com/
>>>
>>>
>>> _______________________________________________
>>> http://www.voipmania.com.br
>>> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
>>> Promoção por tempo limitado!
>>> Acesse agora http://promo.voipmania.com.br
>>>
>>> _______________________________________________
>>> Lista de discussões AsteriskBrasil.org
>>> AsteriskBrasil em listas.asteriskbrasil.org
>>> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>>>
>>
>>
>>
>> --
>> #!/bin/bash
>>
>> Luciano Antonio Borguetti Faustino
>> GNU/Linux user number: 339110
>> ICQ UIN number: 82092097 - ICQ ainda na atividade :)
>> http://lucianoborguetti.blogspot.com
>>
>> Preconceito é opinião sem conhecimento.
>>
>> :wq
>>
>>
>> _______________________________________________
>> http://www.voipmania.com.br
>> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
>> Promoção por tempo limitado!
>> Acesse agora http://promo.voipmania.com.br
>>
>> _______________________________________________
>> Lista de discussões AsteriskBrasil.org
>> AsteriskBrasil em listas.asteriskbrasil.org
>> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>>
>
>
>
> _______________________________________________
> http://www.voipmania.com.br
> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
> Promoção por tempo limitado!
> Acesse agora http://promo.voipmania.com.br
>
> _______________________________________________
> Lista de discussões AsteriskBrasil.org
> AsteriskBrasil em listas.asteriskbrasil.org
> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>



-- 
Att.,

Ciro M. Brandão

CONTATO
Cel.: +55 (75) 8835-1778
MSN: cirobrandao em gmail.com
Skype: ciro.uwc32
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20091104/cc14df46/attachment-0001.htm

Mais detalhes sobre a lista de discussão AsteriskBrasil