New Voip Wardialing Threat from "BenQ Telecom" (?)

T

tel0p

Guru
Joined
Nov 20, 2007
Messages
195
Reaction score
0
Been noticing some unknown traffic on my CDR of late. 44 calls (this month) all under 20seconds. Below is a sample of the CDR of this month (January09) with 'CHANNEL' specified as 'BenQ Telecom':

Code: 
1. 2009-01-28 14:07:06     SIP/96.9.1...    BenQ Telecom      "BenQ Telecom"  s      ANSWERED      00:13
8. 2009-01-28 06:11:18     SIP/66.232...    BenQ Telecom      "BenQ Telecom"  s      ANSWERED      00:12
21. 2009-01-27 17:03:47    SIP/66.232...    BenQ Telecom      "BenQ Telecom"  s      ANSWERED      00:12
As can be seen the 'destination' is 's'. Looking at /var/log/asterisk/full I see this:

Code: 
[2009-01-28 14:07:06] VERBOSE[5727] logger.c: -- Executing [9010380445945257@from-sip-external:1] NoOp("SIP/96.9.135.21-b7d102a8", "Received incoming SIP connection from unknown peer to 9010380445945257") in new stack
[2009-01-28 14:07:06] VERBOSE[5727] logger.c: -- Executing [9010380445945257@from-sip-external:2] Set("SIP/96.9.135.21-b7d102a8", "DID=9010380445945257") in new stack
[2009-01-28 14:07:06] VERBOSE[5727] logger.c: -- Executing [9010380445945257@from-sip-external:3] Goto("SIP/96.9.135.21-b7d102a8", "s|1") in new stack
[2009-01-28 14:07:06] VERBOSE[5727] logger.c:     -- Goto (from-sip-external,s,1)
[2009-01-28 14:07:06] VERBOSE[5727] logger.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/96.9.135.21-b7d102a8", "0?from-trunk|9010380445945257|1") in new stack
[2009-01-28 14:07:06] VERBOSE[5727] logger.c: -- Executing [s@from-sip-external:2] Set("SIP/96.9.135.21-b7d102a8", "TIMEOUT(absolute)=15") in new stack
[2009-01-28 14:07:06] VERBOSE[5727] logger.c:     -- Channel will hangup at 2009-01-28 22:07:21 UTC.
It shood be noted that I have 'Allow anonymous SIP calls' set to 'NO' in General Settings.
Googling really only provides results from Cisco router customer's noting similar inbound behavior on port 5060 (SIP), as seen here.

Just thought I'd post this as a starting point in case other's begin to see this behavior.

Side question: What's the easiet way to (completely) IP ban someone? iptables? easy rule? router level?
 
Someones just posted on the asterisk users mailing list with the same thing.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 71 (members: 0, guests: 71)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,259
Latest member
Fadeek86
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top