sipvicious

[Jamie Mackenzie]

Hi guys,

Does anybody know anything about "sipvicious"?

I have a VoIP phone and it rang this morning at 2:40am.  The caller id showed up as sipvicious and when the call was answered there was nobody there.

I did a little googling and I don't think it's much to worry about, but thought I'd ask here to see if anybody knew anything more about it?

[Scott B]

we had the same thing happen this morning, came up as 'suspicious 100' or something like that....

was rather annoying though, as we had left a handset in the daughters room, so she woke up screaming when it went off next to her cot. she was back asleep in about 2 minutes, but I couldn't get back to sleep for ages =(

[Dylan Sale]

Sounds like a pun on Sid Vicious.

--
You received this message because you are subscribed to the Google Groups "HackerSpace - Adelaide, South Australia" group.
To view this discussion on the web visit https://groups.google.com/d/msg/hackerspace-adelaide/-/hraWpGVFHwoJ.
To post to this group, send email to hackerspac...@googlegroups.com.
To unsubscribe from this group, send email to hackerspace-adel...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/hackerspace-adelaide?hl=en.

[Kapheroph]

Hey mate,

It's been a while since I've used it in a pen test but it was probably just a random scan. Not really much to worry about unless it becomes a frequent attack.

No doubt you stumbled across the project's landing page:
http://blog.sipvicious.org/
You could check for updates on your device's firmware or tune the network's NIDS/NIPS if you are running such software/hardware on your network, but again I wouldn't worry about it unless the calls are so frequent it results in a denial of service.

Hit me up on chat if you have any further worries.

Cheers.

--

[Jamie Mackenzie]

Hey,

I thought you might know about this :)

Cheers for the reassurance. 

Is it weird that Scott and I both were hit on the same night?

[Scott B]

are you with adam also? probably just scrolling through the IP addresses and we are in a similar range.

On Monday, October 8, 2012 9:24:51 AM UTC+10:30, Jamie Mackenzie wrote:

Hey,

I thought you might know about this :)

Cheers for the reassurance. 

Is it weird that Scott and I both were hit on the same night?

On 8 October 2012 09:11, Kapheroph <kap.d...@gmail.com> wrote:

Hey mate,

It's been a while since I've used it in a pen test but it was probably just a random scan. Not really much to worry about unless it becomes a frequent attack.

No doubt you stumbled across the project's landing page:
http://blog.sipvicious.org/
You could check for updates on your device's firmware or tune the network's NIDS/NIPS if you are running such software/hardware on your network, but again I wouldn't worry about it unless the calls are so frequent it results in a denial of service.

Hit me up on chat if you have any further worries.

Cheers.

On 8 October 2012 07:55, Jamie Mackenzie <jrrmac...@gmail.com> wrote:

Hi guys,

Does anybody know anything about "sipvicious"?

I have a VoIP phone and it rang this morning at 2:40am.  The caller id showed up as sipvicious and when the call was answered there was nobody there.

I did a little googling and I don't think it's much to worry about, but thought I'd ask here to see if anybody knew anything more about it?

--
You received this message because you are subscribed to the Google Groups "HackerSpace - Adelaide, South Australia" group.
To view this discussion on the web visit https://groups.google.com/d/msg/hackerspace-adelaide/-/hraWpGVFHwoJ.
To post to this group, send email to hackerspac...@googlegroups.com.

To unsubscribe from this group, send email to hackerspace-adelaide+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/hackerspace-adelaide?hl=en.

--
You received this message because you are subscribed to the Google Groups "HackerSpace - Adelaide, South Australia" group.
To post to this group, send email to hackerspac...@googlegroups.com.

To unsubscribe from this group, send email to hackerspace-adelaide+unsub...@googlegroups.com.

[Kapheroph]

Is it weird that Scott and I both were hit on the same night?Is it weird that Scott and I both were hit on the same night?

 

If you both have the same service provider and share similar network block addresses (IP range) then no. It may be worth sharing connection and service provider details off-list to see if this is in fact the case however. To illustrate here is an example of Svmap's (part of the sipvicious tool chain) usage:

Usage: svmap.py [options] host1 host2 hostrange


examples:
svmap.py 10.0.0.1-10.0.0.255 \


> 172.16.131.1 sipvicious.org/22 10.0.1.1/24 \


> 1.1.1.1-20 1.1.2-20.* 4.1.*.*


svmap.py -s session1 --randomize 10.0.0.1/8


svmap.py --resume session1 -v


svmap.py -p5060-5062 10.0.0.3-20 -m INVITE




Options:
  --version             show program's version number and exit


  -h, --help            show this help message and exit
  -v, --verbose         Increase verbosity
  -q, --quiet           Quiet mode
  -s NAME, --save=NAME  save the session. Has the benefit of allowing you to


                        resume a previous scan and allows you to export scans
  --resume=NAME         resume a previous scan
  --randomscan          Scan random IP addresses
  -i scan1, --input=scan1
                        Scan IPs which were found in a previous scan. Pass the


                        session name as the argument
  -p PORT, --port=PORT  Destination port or port ranges of the SIP device - eg
                        -p5060,5061,8000-8100
  -P PORT, --localport=PORT
                        Source port for our packets


  -x IP, --externalip=IP
                        IP Address to use as the external ip. Specify this if
                        you have multiple interfaces or if you are behind NAT
  -b BINDINGIP, --bindingip=BINDINGIP


                        By default we bind to all interfaces. This option
                        overrides that and binds to the specified ip address
  -t SELECTTIME, --timeout=SELECTTIME
                        Timeout for the select() function. Change this if


                        you're losing packets
  -c, --enablecompact   enable compact mode. Makes packets smaller but


                        possibly less compatable
  -m METHOD, --method=METHOD


                        Specify the request method - by default this is


                        OPTIONS.
  -R, --reportback      Send the author an exception traceback. Currently


                        sends the command line parameters and the traceback
  --randomize           Randomize scanning instead of scanning consecutive ip


                        addresses

So, you can gather that if you guys are in the same range then the scan would have flagged you both as having service ports open. If not, then still no real cause for alarm unless it happens again, which would mean it is becoming less automated and you both have interesting ports and devices hanging off of your ingress points.

Besides, any extensions you guys have in place have reqauth set, right? ;)

[Ryan Leach]

http://forums.whirlpool.net.au/archive/1977342

Theres a way to set your firewall so only calls through your service provider go through (if that's what you want!)

Seems this has been happening for a while.

[Jamie Mackenzie]

Yeh, I think that's what must be happening.  I'm with Adam too.  I reset my router this morning so that it might put me on a different network range/block.

Cheers Ryan.  I found that this morning too.  If I get another early morning call I'll do what it says.

I finished reading the Underground book about the early exploits of Aussie computer hackers the other week (great read!) and was watching the TV movie last night too, so I'm probably hyper paranoid :)

--