SIP scanning going on again, probably re ... / 2014-02-05

2014-02-05 SIP scanning going on again, probably re ... 6 years ago
SIP scanning going on again, probably related to Security advisory: suspected telephone misuse in fritzbox systems. My Internet provider xs4all uses fritz!box devices by default and I already heard about one case of abuse.

The SIP scan in tshark:
Frame 376 (457 bytes on wire, 457 bytes captured)
    Arrival Time: Feb  5, 2014 18:00:07.447662000
    [Time delta from previous captured frame: 36.927214000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 6100.139111000 seconds]
    Frame Number: 376
    Frame Length: 457 bytes
    Capture Length: 457 bytes
    [Frame is marked: False]
    [Protocols in frame: sll:ip:udp:sip]
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src: 188.138.41.34 (188.138.41.34), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 441
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 53
    Protocol: UDP (0x11)
    Header checksum: 0x475e [correct]
        [Good: True]
        [Bad : False]
    Source: 188.138.41.34 (188.138.41.34)
    Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 5079 (5079), Dst Port: sip (5060)
    Source port: 5079 (5079)
    Destination port: sip (5060)
    Length: 421
    Checksum: 0xc761 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Session Initiation Protocol
    Request-Line: OPTIONS sip:100@xxx.xxx.xxx.xxx SIP/2.0
        Method: OPTIONS
        [Resent Packet: False]
    Message Header
        Via: SIP/2.0/UDP 62.75.212.215:5079;branch=z9hG4bK-1039150734;rport
            Transport: UDP
            Sent-by Address: 62.75.212.215
            Sent-by port: 5079
            Branch: z9hG4bK-1039150734
            RPort: rport
        Content-Length: 0
        From: "sipvicious"<sip:100@1.1.1.1>;tag=3532356663346361313363340132393433303934303439
            SIP Display info: "sipvicious"
            SIP from address: sip:100@1.1.1.1
            SIP tag: 3532356663346361313363340132393433303934303439
        Accept: application/sdp
        User-Agent: friendly-scanner
        To: "sipvicious"<sip:100@1.1.1.1>
            SIP Display info: "sipvicious"
            SIP to address: sip:100@1.1.1.1
        Contact: sip:100@62.75.212.215:5079
            Contact Binding: sip:100@62.75.212.215:5079
                URI: sip:100@62.75.212.215:5079\r
                    SIP contact address: sip:100@62.75.212.215:5079\r
        CSeq: 1 OPTIONS
            Sequence Number: 1
            Method: OPTIONS
        Call-ID: 37933976157019277147119
        Max-Forwards: 70
Source IPv4 was 188.138.41.34, Plusserver AG. Interesting pointer at IPv4 address 62.75.212.215, a different IPv4 range at Plusserver AG.

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004777 seconds.