[VOIPSEC] VoIP Blacklisting Reintroduced

J. Oquendo sil at infiltrated.net
Fri Jan 14 10:21:04 CST 2011 

Here goes, so, after fiddling around, tinkering with different lists and
mechanisms to do this, I settled on something similar to Shadowserver's
list of baddies. I now re-introduce the VoIP Abuse Blacklist (VABL how
original eh?).
http://infiltrated.net/index.php?option=com_content&view=article&id=17&Itemid=23

The VoIP Abuse Blacklist has been a work in progress as I sought a
mechanism to document attackers. With that said, the new layout will
hopefully be more beneficial to PBX administrators. Rather than reinvent
wheels, VABL looks up an attacker's information via Shadowserver's
lookup and appends three new fields: type of attacker, address and the
letters VABL (in case someone wants to backtrack and say: who the fsck
listed me!@) and a number dialed (when appropriate.)

The type of attacker field may make the biggest difference to those who
decide to use this list. There are two specific entries that will
appear: BRU, ADN and COM. BRU means that the host attempted to
bruteforce a PBX while COM signifies that the attacker managed to
compromise either a honeypot or a live machine. ADN is when an attacker
places a call and is short for Attacker Dialing Numbers. Whenever you
see an entry with ADN, there will be an additional field at the end with
the number dialed by the attacker appended to it.

List in progress
http://infiltrated.net/vabl.txt

So far I've managed to parse out 2 days from one machine, now I have an
option, go back and mangle out all data, or start from scratch. I choose
to start this list from scratch as we can never cry about spilled milk.
I'll definitely do my best to keep this up to date. I believe the ADN
and COM would make most sense to admins/engineers, etc. Sample output:

221.130.119.174 | BRU | VABL | 9808 | 221.130.119.0/24 | CMNET | CN |
MINTEL.COM | CHINA MOBILE COMMUNICATIONS CORPORATION
41.232.96.220 | ADN | VABL | 8452 | 41.232.96.0/22 | TE | EG |
TEDATA.NET | AFRINIC | 011251912121891
60.172.230.110 | COM | VABL | 4134 | 60.168.0.0/13 | CHINANET | CN |
CNDATA.COM | CHINANET ANHUI PROVINCE NETWORK

Notice the second entry... Idjit in Egypt coming from 41.232.96.220
compromised a honeypot and used it to call 011251912121891 sadly, he was
only able to get ahold of Les Grossman.

exten => s,1,system(/usr/sbin/phorensix&)
exten => s,2,Background(silence/2)
exten => s,3,Playback(phorensix1)
exten => s,4,Background(silence/2)
exten => s,5,Playback(phorensix2)
exten => s,6,Background(silence/2)
exten => s,7,Playback(phorensix3)
exten => s,8,Background(silence/1)
exten => s,9,Hangup

http://infiltrated.net/phunwithhoneypots/phorensix1.wav
http://infiltrated.net/phunwithhoneypots/phorensix2.wav
http://infiltrated.net/phunwithhoneypots/phorensix3.wav

(Hey I get bored too you know)

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list