Sip Registration Hijacking

Home » Asterisk Users » Sip Registration Hijacking
Asterisk Users 12 Comments

I have a honey pot box with extensions that are not just numbers ie )

100-MySipUserName

And the passwords are from an openssl generated password ie)

Gq5VNIjDFWIQoUT6

However, this one extension keeps getting hacked and showing up on a different IP address.

It is also register on an AudioCodes MP-118.

I wanted to know if anyone else ran into this and if it’s a vulnerability on the MP-118 or with Asterisk.

Thanks,

-E

12 thoughts on - Sip Registration Hijacking

  • I have the same problem and I use contactpermit with specific ip blocks!

    I know for a fact I’m getting hijacked by sip vicious on extension 100
    but I can’t understand how because I don’t even have an extension 100
    declared anywhere. I would like to know how to block this MF because
    he makes calls at 1-2 AM

  • I always thought Sip Vicious only does numbers ( 0 – 100NNNN ) not Numberic-Alpha ( 100-MySipUserName ).

    To make my situation more interesting is that I also have fail2ban installed banning after 5 failed attempts.

    This hijack is only happening to an extension on the honeypot audiocodes with the sip reg authenticating back to my honey pot
    asterisk which is why I thought it might be a vulnerability in the audiocodes.

    However, the hijacker manages to make it past the fail2ban and gets the sip reg.

    I see sipvicious attempts all the time where they run checks against extensions 0 – 9999.

    Sometimes I see alpha extension name attempts but I do not know how that’s done.

  • I too have fail2ban and running a relatively updated version of
    FreeBSD. BTW my install is plain Asterisk

  • Alejandro Imass wrote 20.01.2012 18:09:

    to block this MF because he makes calls at 1-2 AM

    I use this
    construction on my servers

    [users]

    exten =>
    _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1)

    [block]
    exten =>
    _X.,1,HangUp(1)

  • Is the password stored in sip.conf in plain text or as an MD5?

    If it is stored in plain text then it may suggest the hijacker has
    greater access to your system than you realise.

    My 2-cents worth.

  • Can you please elaborate on rate limiting. Not how to implement it but rather how implementation is beneficiary.

    Reading up on it, it appears that it just checks the tcp connections and denys connection if limit is passed.

    In my thoughts, this is essentially a live fail2ban monitor in respects to attempted authentications.

    Thanks,

  • This is actually an interesting concept however I do think I want to restrict dialing during a specific time period.

    If someone is in the office, I would have to reprogram the route so allow dialing which adds overhead.

    Again, I do like the concept though.

    Thanks,

  • I appreciate your 2-cents worth.

    However, I do not believe they have access to machine

    If so, they are clever to create three failures in the logs for my benefit before entering the correct one for hijacking.

    Additionally, I have a lot of sip extensions to hijack and he keeps going for the same one.

    I was hoping this was something with the MP-118 and someone experienced the same thing with that device.

    Either way, I posed two questions which are still unanswered and probably I will never get answered:

    1 – is this a vulnerability in the MP-118

    2 – what method could they possibly be using to hijack a number-alpha extension which is creative to begin with ie)
    203-Joes_Insurance_Service with an openssl generated password of 12 characters.

    Thanks,

  • Is the Audiocodes gateway accessible online? Have you set a strong
    password for it’s web interface (and cli if it has one)? It is possible
    someone is breaking into that and getting the SIP password out of it.

    cheers,
    Paul.

  • It is accessible from HTTP.

    However, the access list only allows access from my home and the password is strong.

  • Can you configure it to ‘syslog’ accesses where you can monitor it.

    Maybe your access lists are invalid, misunderstood or not being honored.