Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Is it a SIP Recon scan or something else InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Is it a SIP Recon scan or something else

Published: 2006-10-07
Last Updated: 2006-10-07 21:01:48 UTC
by Deborah Hale (Version: 1)
0 comment(s)
It seems that there have been some reports of calls on SIP devices over the last couple of days with a caller ID of ?John Doe <4000>?.

According to an article on freePBX.org's blog site FreePBX :

"This does seem to be a world first - It?s someone, or something, actively scanning the entire internet for misconfigured SIP devices."

Is someone or something testing for a hole or are they checking for systems that are vulnerable to some exploit? According to article SIP uses port 5060.  A quick look at the DShield report for port 5060 Dshield.org there has been some activity on this port but nothing significant.  It will be interesting to see just how wide spread this is.  If you are using an SIP device and have seen this activity on your system let us know. If you have any thoughts or ideas regarding this activity tell us about it.

Thanks to Babak for sending us this information.



Keywords:
0 comment(s)
Diary Archives