[Freeswitch-users] FS account got hacked **urgent**

[Brian :]

Same as - all coming from 62.210.245.31 - reported to abuse@ but meh
Not just a freeswitch thing obviously - there must be some
vulnerability these wasters are trying to gain profit from..

They are actually spoofing a credible UA for once.


2017-02-28 19:38:23 +0000 : 62.210.245.31:41254 -> 8.8.28.60:5060
INVITE sip:001648825408632 at 8.8.28.60 SIP/2.0
Via: SIP/2.0/UDP
62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
Max-Forwards: 70
Contact: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254>;+sip.instance="<urn:uuid:546752fe-1c36-4770-9db8-1db98b72700f>"
To: <sip:001648825408632 at 8.8.28.60>
From: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 8.8.28.60>;tag=DLMPQMRN
Call-ID: SWZYYRWNLTZCVZRAYLXRXNWU
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
REGISTER, SUBSCRIBE, INFO
Content-Type: application/sdp
Supported: replaces
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow-Events: hold, talk, conference
Content-Length: 0

Brian



On Wed, Mar 1, 2017 at 6:55 AM, jay binks <jaybinks at gmail.com> wrote:
> yea man, Im seeing the exact same thing.
> from the same IP actually.
>
>
> INVITE sip:0008148825408632 at 180.214.68.115 SIP/2.0
>
> Via: SIP/2.0/UDP
> 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
>
> Max-Forwards: 70
>
> Contact:
> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254>;+sip.instance="<urn:uuid:f6d7a08c-d1d0-4bb1-9f09-01d032f62c38>"
>
> To: <sip:0008148825408632 at 180.214.68.115>
>
> From:
> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 180.214.68.115>;tag=LNDMJRRH
>
> Call-ID: XXINXNMLKORRQSRCIOPQFLZM
>
> CSeq: 1 INVITE
>
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER,
> SUBSCRIBE, INFO
>
> Content-Type: application/sdp
>
> Supported: replaces
>
> User-Agent: Cisco-SIPGateway/IOS-12.x
>
> Allow-Events: hold, talk, conference
>
> Content-Length: 0
>
>
>
>
>
>
> On 1 March 2017 at 09:59, Brian West <brian at freeswitch.org> wrote:
>>
>> You can calm down, Do you have any proof you've been hacked?  This appears
>> to be an SQL Injection attempt, I started seeing this yesterday!
>>
>> Here is what I had in my logs and what the packet has in it:
>>
>> 2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:687
>> a7c86b62-4dbf-4609-8bc2-3b6a38e2686a sofia/internal/‘hi'or‘x’='x'@190.10
>> 2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE]
>> switch_core_state_machine.c:690 Hangup
>> sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_NEW] [WRONG_CALL_STATE]
>> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730 Session 2
>> (sofia/internal/‘hi'or‘x’='x'@190.102.98.246) Ended
>> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close
>> Channel sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_DESTROY]
>>
>>
>>
>>    INVITE sip:1259360048825408632 at 190.102.98.246 SIP/2.0
>>    Via: SIP/2.0/UDP
>> 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
>>    Max-Forwards: 70
>>    Contact:
>> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254>;+sip.instance="<urn:uuid:4c5f3dc8-9f8a-4470-9b43-bd04fcd1634d>"
>>    To: <sip:1259360048825408632 at 190.102.98.246>
>>    From:
>> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 190.102.98.246>;tag=UBAWADPX
>>    Call-ID: OIERRISLMMBKZCIIUGWESXQM
>>    CSeq: 1 INVITE
>>    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> REGISTER, SUBSCRIBE, INFO
>>    Content-Type: application/sdp
>>    Supported: replaces
>>    User-Agent: Cisco-SIPGateway/IOS-12.x
>>    Allow-Events: hold, talk, conference
>>    Content-Length: 0
>>
>>
>> I would like to dive deeper and see if anyone else has seen this, I had
>> also seen it today in the FreeSWITCH hipchat channel.
>>
>> /b
>>
>>
>>
>> On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <siju.irs at gmail.com> wrote:
>>>
>>> Hi team ,
>>>
>>> Please help on below query
>>>
>>> Sent from my iPhone
>>>
>>> > On 28-Feb-2017, at 3:59 PM, Siju Nair <siju.irs at gmail.com> wrote:
>>> >
>>> > Hi Team
>>> >
>>> > my account got hacked and attacked using my DID number as caller id and
>>> > making calls via my FS server.
>>> >
>>> > in logs i could notice this sofia/external/'hi'or'x'='x' ... what does
>>> > this mean and how can they set my did as caller id and make calls... Urgent
>>> > help needed.
>>> >
>>> > Thanks,
>>> > Siju Nair
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>
>>
>>
>>
>> --
>>
>> Brian West
>> brian at freeswitch.org
>>
>> Twitter: @FreeSWITCH , @briankwest
>>
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>>
>> Allison prompts for FreeSWITCH:
>>
>> https://www.gofundme.com/allison-prompts-for-freeswitch
>>
>> Wish to schedule a meeting?
>>
>> http://app.timebridge.com/#/meet/freeswitch
>>
>> Got Bugs? Report them here! | Reddit: /r/freeswitch
>>
>> T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
>> Skype:briankwest
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
>
>
> --
> Sincerely
>
> Jay
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org