[Freeswitch-users] Attack using 5843 and music account?

xuyan yang xyangni at gmail.com
Mon Jan 3 18:26:01 MSK 2011


Dear all,

Recently,  my FS server are often slowed down at midnight, and system logged
a lot of these lines below:

2011-01-03 04:13:07.494973 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [5843 at 90.192.85.12] from ip
184.106.178.189

2011-01-03 04:11:41.344034 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:41.503079 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:41.671564 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:41.828182 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:41.998964 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:42.145093 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:42.291273 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:42.448811 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189
2011-01-03 04:11:42.605709 [WARNING] sofia_reg.c:1203 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [music at 90.192.85.12] from ip
184.106.178.189

I installed fail2ban, but it does not seem to work. After reading these
lines, I found this to be a successful REGISTER instead of a failure.
But I do not have 5843 or music in my directory, and myself can not login to
music account, it generate the following error log:

2011-01-03 15:19:32.360152 [WARNING] sofia_reg.c:1161 SIP auth failure
(REGISTER) on sofia profile 'internal' for [music at 192.168.0.3] from ip
192.168.0.6

So, how can this hacker successfully registered music account and avoid to
be baned? it is strange.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110103/de56d8d3/attachment.html 


More information about the FreeSWITCH-users mailing list