Why are the hackers scanning for these?

Home » Asterisk Users » Why are the hackers scanning for these?
Asterisk Users 8 Comments

Hey, I’m going thru logs, and I see some very common and interesting things
that the hackers are looking for.

In a whole bunch of scans, I’ve noticed that the first guess or two for sip
accounts
is usually a 10-digit number. I’m asking myself, why these numbers? Are they
looking
for a voip trunk? Or is it just like a serial number for the scan? What?

Here’s some examples:

2648061411
3190339404
2685608247
3358171034
2092652562
2206598858

Just trying to follow the advice: “Know thy Enemy”

murf

Steve Murphy

ParseTree Corp.

57 Lane 17

Cody, WY 82414

href=”mailto:murf@parsetree.com”>murf@parsetree.com

☎ 307-899-5535
Signature powered by
http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer
WiseStamp

8 thoughts on - Why are the hackers scanning for these?

  • I’m getting exactly the same. Odds of getting a working number, are like the odds of winning the lottery.
    My guess is they are either trying to find a voip trunk, or they are trying to make cold calls to the extensions on my system. Sales or something similar.

  • My guess is they are looking for 10 digit phone numbers as extensions.

    Are they all from 1 IP address or from many? If from many, they are likely many serial scan or from a list of suspected VOIP numbers. If from one, and that random, then from a list of suspected VOIP numbers.

    Since you listed a phone number as part of your signature… I might guess hackers might soon add that number to a scan list.

    It is one thing to randomly run 2,XXX-,XXXX to 999-999-9999, with skips for the “dead zones,” (0-XXX-XXX-XXXX) etc. but another to hit suspected VOIP numbers.

    Cary Fitch

    _____

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Steve Murphy
    Sent: Sunday, November 07, 2010 8:12 AM

    Hey, I’m going thru logs, and I see some very common and interesting things
    that the hackers are looking for.

    In a whole bunch of scans, I’ve noticed that the first guess or two for sip accounts
    is usually a 10-digit number. I’m asking myself, why these numbers? Are they looking
    for a voip trunk? Or is it just like a serial number for the scan? What?

    Here’s some examples:

    2648061411
    3190339404
    2685608247
    3358171034
    2092652562
    2206598858

    Just trying to follow the advice: “Know thy Enemy”

    murf

    Steve Murphy

    ParseTree Corp.

    57 Lane 17

    Cody, WY 82414


    href=”mailto:murf@parsetree.com”>murf@parsetree.com

    ☎ 307-899-5535

    http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer Signature powered by http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer WiseStamp

    http://s.wisestamp.com/pixel.png?p=mozilla&v=2.0.3&t=1289138760949&u=949715&e=4286

  • _____

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com
    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Dan Journo
    Sent: Sunday, November 07, 2010 8:33 AM

    I’m getting exactly the same. Odds of getting a working number, are like the
    odds of winning the lottery.

    My guess is they are either trying to find a voip trunk, or they are trying
    to make cold calls to the extensions on my system. Sales or something
    similar.

    We got pounded last weekend, but installed a list of distant IPs in IPTABLES
    and see nothing this weekend.

    We have no need to be contacted by any sites more than 2500 miles away, and
    not too many from within 2500 miles. 😉

    Cary Fitch

  • href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com

    I’ve just switched my outbound ip address a week ago. Not static, but
    dhcp on TimeWarner cable. I’ve registered only with another of our
    offices. The outbound calls are all pstn bound through Teliax.

    But somehow my log is filling up with registration requests over this
    new ip address from a bunch of addresses. How can these guys find my
    new ip address? Or are they just scanning all ip addresses in
    creation?

    sean

  • It’s SIPVicious. Before it starts its sequential scan, it makes sure
    that it can tell the difference between a valid peer and an unknown one.

    It tries two random peers, expecting a 404 response to at least one (most
    likely both) of them. Then, if it later gets a 401 during the sequential
    scan, it knows it’s found a good peer name that can be targeted for
    password guessing.

    On the other hand, if both random guesses elicit 401 responses to
    REGISTERs, it knows that it can’t winnow out the real peers, and (normally)
    just gives up right there. That’s why ‘alwaysauthreject’ is so effective
    at stopping the attacks (as opposed to blocking them). But if the attacker
    uses the ‘–force’ option, which causes the scan to press on regardless, or
    something other than SIPVicious, only something like fail2ban will help,
    but that won’t save your bandwidth like ‘alwaysauthreject’ will.

  • I’ve just switched my outbound ip address a week ago. Not static, but
    dhcp on TimeWarner cable. I’ve registered only with another of our
    offices. The outbound calls are all pstn bound through Teliax.

    But somehow my log is filling up with registration requests over this
    new ip address from a bunch of addresses. How can these guys find my
    new ip address? Or are they just scanning all ip addresses in
    creation?

    sean

  • Adding on more thoughts:

    Think what Google has done in Mapping the Earth, Mapping the Web, and now
    working on Google Voice and Google Mail.

    Every one of those makes money either directly and/or synergistically with
    other components.

    Now consider someone with “telephone” interests or spam interests. In this
    modern database and filtering and probing age, load in ARIN or RIPE IP
    Ranges, start building database data and filters, and let it run…

    And the other IP areas too.

    Cary

  • All makes me think of forcing an ip address change each night by
    spoofing the mac address. Each day they’d have to find me anew!

    sean