SIP scanning going on again, probably re ... / 2014-02-05

2014-02-05 SIP scanning going on again, probably re ...
SIP scanning going on again, probably related to Security advisory: suspected telephone misuse in fritzbox systems. My Internet provider xs4all uses fritz!box devices by default and I already heard about one case of abuse.

The SIP scan in tshark:
Frame 376 (457 bytes on wire, 457 bytes captured)
    Arrival Time: Feb  5, 2014 18:00:07.447662000
    [Time delta from previous captured frame: 36.927214000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 6100.139111000 seconds]
    Frame Number: 376
    Frame Length: 457 bytes
    Capture Length: 457 bytes
    [Frame is marked: False]
    [Protocols in frame: sll:ip:udp:sip]
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src: (, Dst: (
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 441
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 53
    Protocol: UDP (0x11)
    Header checksum: 0x475e [correct]
        [Good: True]
        [Bad : False]
    Source: (
    Destination: (
User Datagram Protocol, Src Port: 5079 (5079), Dst Port: sip (5060)
    Source port: 5079 (5079)
    Destination port: sip (5060)
    Length: 421
    Checksum: 0xc761 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Session Initiation Protocol
    Request-Line: OPTIONS SIP/2.0
        Method: OPTIONS
        [Resent Packet: False]
    Message Header
        Via: SIP/2.0/UDP;branch=z9hG4bK-1039150734;rport
            Transport: UDP
            Sent-by Address:
            Sent-by port: 5079
            Branch: z9hG4bK-1039150734
            RPort: rport
        Content-Length: 0
        From: "sipvicious"<sip:100@>;tag=3532356663346361313363340132393433303934303439
            SIP Display info: "sipvicious"
            SIP from address: sip:100@
            SIP tag: 3532356663346361313363340132393433303934303439
        Accept: application/sdp
        User-Agent: friendly-scanner
        To: "sipvicious"<sip:100@>
            SIP Display info: "sipvicious"
            SIP to address: sip:100@
        Contact: sip:100@
            Contact Binding: sip:100@
                URI: sip:100@\r
                    SIP contact address: sip:100@\r
        CSeq: 1 OPTIONS
            Sequence Number: 1
            Method: OPTIONS
        Call-ID: 37933976157019277147119
        Max-Forwards: 70
Source IPv4 was, Plusserver AG. Interesting pointer at IPv4 address, a different IPv4 range at Plusserver AG.

Tags: , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.007934 seconds.