Possible Attack?

[completetech]

I have over the past few days noticed in the logs that ip address
194.28.112.31 and
p { margin-bottom: 0.08in; } 64.6.241.8

are both showing calls coming in? from CLID asterisk and the source also being the same.

these ip's do not seem to be anything we would have had a s a remote ip.

the calls are only lasting a few seconds, less then 30 seconds to be exact.

any suggestions?

 

[jmullinix]

Here is the result from a whois on that address. You probably don't want them making calls on your system.

whois 194.28.112.31
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '194.28.112.0 - 194.28.115.255'

inetnum: 194.28.112.0 - 194.28.115.255
netname: Specialist-ISP-PI2
descr: Specialist, Ltd.
country: MD
org: ORG-SL206-RIPE
admin-c: VP2841-RIPE
tech-c: AB16163-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: SPECIALIST-MNT
mnt-routes: SPECIALIST-MNT
mnt-domains: SPECIALIST-MNT
source: RIPE # Filtered

organisation: ORG-SL206-RIPE
org-name: Specialist, Ltd
org-type: OTHER
descr: Specialist, Ltd, Rybnitsa, MD
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-12921
phone: +373-693-18189
phone: +373-777-65071
fax-no: +373-555-43073
mnt-ref: MONITORING-MNT
abuse-mailbox: [email protected]
mnt-by: SPECIALIST-MNT
source: RIPE # Filtered

person: Vladimir Pilan
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-12921
fax-no: +373-555-43073
nic-hdl: VP2841-RIPE
source: RIPE # Filtered
mnt-by: SPECIALIST-MNT

person: Anatoly Belitsky
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-65071
fax-no: +373-555-43073
nic-hdl: AB16163-RIPE
source: RIPE # Filtered
mnt-by: SPECIALIST-MNT

% Information related to '194.28.112.0/22AS48691'

route: 194.28.112.0/22
descr: Specialst-route2
origin: AS48691
mnt-by: SPECIALIST-MNT
source: RIPE # Filtered

 

[dad311]

Are your using the firewall-whitelist script?

 

[completetech]

I do not believe I am using it.

But I guess how do I tell if they r making calls? It just shows asterisk, for both the clid and the destination.

 

[jmullinix]

You should be able to tell from /var/log/asterisk/full. That is the Asterisk log file.

 

[dad311]

You might want to give the whitelist script a try. I was getting hit several times a day with unsuccessful hack attempts and now I get zero attempts with the whitelist script.

As a side note, I just dont understand why most VOIP providers want their customers to use SIP.

SIP requires your firewall be be open on several ports, IAX does not.

SIP/Asterisk has the issue of blocking ALL calls (VOIP, POTS, Extension-Extersion) went the Internet connection drops. IAX does not have this issue.

Maybe someone can explain why SIP is recommend more often.

 

[blanchae]

IAX is new, related to the open source Asterisk and most providers don't use open source and are brought up on the closed source equipment which doesn't like anything free and open source. If there's no money to be made through licensing, then they most likely won't support it.

 

[msatt]

Same IP address having a go on my system in the UK.
Last 'attack' was 2011-01-09 11:14:45

 

[ezekielmudd]

Same here.

These IP addresses are evil:

194.28.112.27
194.28.112.31
83.169.7.162
208.77.101.13
80.196.99.194
208.43.42.19
69.73.167.233

 

[luckman212]

Are your using the firewall-whitelist script?

Where would one obtain this script? curious about it as I've also been getting a lot of calls from "asterisk" lately. I believe the reason these are coming in is because I am allowing anonymous SIP inbound (seems to be a requirement for CallCentric trunks). Not sure about that.

 

[dad311]

Nerd Vittles of course!

http://nerdvittles.com/?p=709

 

[completetech]

also needed for SIP URI's if I am not mistaken. which I have setup.