Odd log messages - Need a pair of eyes



  • For a 10 minute span my firewall logged 200,000+ log entries that consisted of the following. 10.0.8.2 is the primary pfnode 'real IP'.

    X.X.X.40 is an internal DNS resolver which has a public IP, but is only set to answer recursive queries from internal/known networks. There are also firewall rules in place to block any traffic sourced from outside our networks.

    facility
    local0
    level
    Info [6.0]
    message
    pf: From: "yn2mb7"<sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00<br">\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&\0x95\0x00\0x00\0x01\0x00\0x00
    \0x00E\0x00\0x01\0xa6\0xa1\0x9a@\0x005\0x11\0x1e\0xad\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92/KREGISTER sip:yn9oir@X.X.X.40 SIP/2.0
    source
    10.0.8.2
    full_message
    <134>Jan 6 17:50:57 pf: From: "yn2mb7"<sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\<br">0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00
    \0x00&\0x95\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x01\0xa6\0xa1\0x9a@\0x005\0x11\0x1e\0xad\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0
    xc4\0x01\0x92/KREGISTER sip:yn9oir@X.X.X.40 SIP/2.0</sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00></sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00>
    
    facility
    local0
    level
    Info [6.0]
    message
    pf: From: "yfxkhm"<sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\<br">0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&\0x95\0x00\0x00\0x01\0x00\0x00\
    0x00E\0x00\0x01\0xa6\0x88\0x8b@\0x005\0x117\0xbc\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92\0xd0\0x80REGISTER sip:yio4r1@X.X.X.40 SIP/2.0
    source
    10.0.8.2
    full_message
    <134>Jan 6 17:50:57 pf: From: "yfxkhm"<sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00<br">\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&
    \0x95\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x01\0xa6\0x88\0x8b@\0x005\0x117\0xbc\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92\0xd0\0x80REGISTER sip:yio4r1@X.X.X.40 SIP/2.0</sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00></sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00>
    


  • Also.. Many more like this:

    pf: REGISTER sip:yamoley who?@X.X.X.40 SIP/2.0
    

  • Rebel Alliance Developer Netgate

    Someone was trying to run a SIP attack against you.

    The pf log parser gets enough data that can be parsed through tcpdump that the actual body of the packets was getting decoded.

    If you have a SIP server, you might want to make sure it's adequately protected in terms of rules, passwords, access, etc.

    If you don't have a SIP server, this may have been a random scan/attack that just happened to hit you. It's very common for such things to be seen sweeping the Internet looking for SIP servers to exploit. When they find an open one they'll burst a ton of pay calls through it. We've heard of people getting 5 and 6 digit dollar amount bills from improperly protected SIP services.


Log in to reply