[Freeswitch-users] Hacker Attack?

Cliff Wells cliff at develix.com
Mon Feb 14 21:27:53 MSK 2011

On Sat, 2011-01-29 at 15:39 -0800, Joao Leme wrote:
> I just downloaded and compiled the latest Git and a little after
> starting freeswitch I'm getting non stop the following:
> [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
> profile ‘internal’ for [140 at 76.XXX.XX.XXX] from ip

> it's non-stop and doesn't let me do nothing else. After the first time
> I went on to vars and changed the 1234 password....restarted and same
> thing happened, I also try denying the ip on acl.conf (not sure if has
> something to do with it but gave it a try):

It seems obvious, but since no one else mentioned it, I will: have you
tried contacting the owner of attacking machine?   Chances are it's a
compromised machine and the owner is unaware of the situation.   I
experienced the same thing about a week ago, did a WHOIS lookup on the
IP, contacted the owner who was quite grateful to be alerted of the
issue, and had it resolved pretty quickly.

As an aside, if the script that's attacking you is the same one that was
attacking me, it won't stop once you setup the iptables rule.  In my
case it continued to send over 1Mbit/s of registration attempts even
when it could no longer connect (as measured by pfSense).


More information about the FreeSWITCH-users mailing list