[AsteriskBrasil] RES: (URGENTE) Tentativa de Invasão?

Ciro A. Toscano ciro em sntbsb.com.br
Sexta Janeiro 22 18:24:28 BRST 2010 

Bruno, é sim uma tentativa de invasão!
 
usar o firewall para ele... mas nao vai adiantar, pq vc bloqueia um, e
aparece outro... então ao contrario de bloquear um ip, libere apenas
para os ip´s conhecidos.
 
Seque os dados do dono desse ip, que vc pode mandar uma reclamação por
email, para que eles identifiquem a invasao que houve com eles.
Certamente eles foram invadidos ou é de algum usuario deles mal
intencionado.
 
OrgName:    Amazon.com, Inc.

OrgID:      AMAZO-4

Address:    Amazon Web Services, Elastic Compute Cloud, EC2

Address:    1200 12th Avenue South

City:       Seattle

StateProv:  WA

PostalCode: 98144

Country:    US



NetRange:   174.129.0.0 - 174.129.255.255

CIDR:       174.129.0.0/16

NetName:    AMAZON-EC2-5

NetHandle:  NET-174-129-0-0-1

Parent:     NET-174-0-0-0-0

NetType:    Direct Assignment

NameServer: PDNS1.ULTRADNS.NET

NameServer: PDNS2.ULTRADNS.NET

NameServer: PDNS3.ULTRADNS.ORG

Comment:    The activity you have detected originates from a

Comment:    dynamic hosting environment.

Comment:    For fastest response, please submit abuse reports at

Comment:    https://www.amazon.com/gp/html-forms-controller/AWSAbuse/

Comment:    For more information regarding EC2 see:

Comment:    http://ec2.amazonaws.com/

Comment:    All reports MUST include:

Comment:    * src IP

Comment:    * dest IP (your IP)

Comment:    * dest port

Comment:    * Accurate date/timestamp and timezone of activity

Comment:    * Intensity/frequency (short log extracts)

Comment:    * Your contact details (phone and email)

Comment:    Without these we will be unable to identify

Comment:    the correct owner of the IP address at that

Comment:    point in time.

RegDate:    2008-08-08

Updated:    2009-07-28



RAbuseHandle: AEA8-ARIN

RAbuseName:   Amazon EC2 Abuse

RAbusePhone:  +1-206-266-2187

RAbuseEmail:  ec2-abuse em amazon.com



RNOCHandle: ANO24-ARIN

RNOCName:   Amazon EC2 Network Operations

RNOCPhone:  +1-206-266-2187

RNOCEmail:  aes-noc em amazon.com



RTechHandle: ANO24-ARIN

RTechName:   Amazon EC2 Network Operations

RTechPhone:  +1-206-266-2187

RTechEmail:  aes-noc em amazon.com



OrgAbuseHandle: AEA8-ARIN

OrgAbuseName:   Amazon EC2 Abuse

OrgAbusePhone:  +1-206-266-2187

OrgAbuseEmail:  ec2-abuse em amazon.com



OrgTechHandle: ANO24-ARIN

OrgTechName:   Amazon EC2 Network Operations

OrgTechPhone:  +1-206-266-2187

OrgTechEmail:  aes-noc em amazon.com





-----Mensagem original-----
De: asteriskbrasil-bounces em listas.asteriskbrasil.org
[mailto:asteriskbrasil-bounces em listas.asteriskbrasil.org] Em nome de
brunoantognolli em email.com
Enviada em: sexta-feira, 22 de janeiro de 2010 10:37
Para: asteriskbrasil em listas.asteriskbrasil.org
Assunto: [AsteriskBrasil] (URGENTE) Tentativa de Invasão?





Pessoal, estava olhando o Log do Asterisk e ví a seguinte msg:
 
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password
[Jan 22 10:00:25] NOTICE[14350]: chan_sip.c:15593
handle_request_register: Registration from '"1013"
<sip:1013 em XXX.XXX.XXX.XXX>' failed for '174.129.173.249' - Wrong
password

Notem que em 1 segundo o "invasor" tentou várias vezes se registrar no
sip 1013 (através do método BruteForce) pelo meu link do speedy. O IP do
"invasor" é 174.129.173.249.
 
Isso seria uma tentativa de invasão? 
 
Se sim, como ele conseguiu acesso aos meus ramais SIP?
O que preciso fazer para tirar esse cara da rede?
 
Em uma pesquisa rápida descobri que esse IP é de Washington.
http://www.botsvsbrowsers.com/ip/174.129.173.249/index.html
 
Estou alarmado a toa ou é realmente uma tentativa de invasão?
 
Obrigado lista.

-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20100122/dcbb591d/attachment-0001.htm

Mais detalhes sobre a lista de discussão AsteriskBrasil