Re: Opal Telecom IP address in logs

Discussion in 'UK VOIP' started by Theo Markettos, Nov 6, 2008.

  1. Jono <> wrote:
    > Hello,
    >
    > Anyone help me understand why, in the slightly inadequate logs of my
    > router, I might have an Opal Telecom IP address (78.150.205.141) as an
    > accepted inbound connection on port 5065?
    >
    > 5065 is part of a range forwarded to my Asterisk server.


    VOIP attack?
    http://www.ipcom.at/index.php?id=565

    Since SIP is UDP it's easy to fake the originator's address.

    Theo
    Theo Markettos, Nov 6, 2008
    #1
    1. Advertising

  2. Jono <> wrote:
    > Is there something I can type at the CLI to discover things?
    >
    > Netstat -a doesn't yield anything significant.


    If you want to keep an eye on what happens in future, try
    asterisk -r -vvvv -dddd
    (alter the number of vs and ds to taste)
    That'll open a console and log to it. You can also tweak asterisk's
    logger.conf if you want this on all the time and logged to a file.

    Whether there's anything in the logs will depend on what it was set to in
    the past, but try looking in /var/log/asterisk

    There's not much to see on the router unless you want to set up your
    firewall rules to log incoming SIP packets. netstat will only show a UDP
    socket listening; because UDP is connectionless it doesn't know about any
    open connections. But if it's going through NAT the masquerading table may
    have a record until the connection expires (minutes, probably).

    Theo
    Theo Markettos, Nov 6, 2008
    #2
    1. Advertising

  3. In article <>,
    Jono <> wrote:
    >on 06/11/2008, Theo Markettos supposed :
    >> Jono <> wrote:
    >>> Hello,
    >>>
    >>> Anyone help me understand why, in the slightly inadequate logs of my
    >>> router, I might have an Opal Telecom IP address (78.150.205.141) as an
    >>> accepted inbound connection on port 5065?
    >>>
    >>> 5065 is part of a range forwarded to my Asterisk server.

    >>
    >> VOIP attack?
    >> http://www.ipcom.at/index.php?id=565
    >>
    >> Since SIP is UDP it's easy to fake the originator's address.
    >>
    >> Theo

    >
    >Hmm.
    >
    >Is there something I can type at the CLI to discover things?
    >
    >Netstat -a doesn't yield anything significant.


    On the asterisk box, you can start to run tcpdump (or tshark),
    so use sip show peers at the asterisk cli to get their ip addresses,
    then something like:

    tcpdump -n not host 1.2.3.4 and not host 3.4.5.6

    where those IP addresses are known IP addresses (given by sip show
    peers)

    Then you'll see all traffic that's not from sites you know. You'll see
    lots of other stuff too - lots of broadcasts from other machines on your
    LAN which if you know them, you can start to filter out with more

    and not host n.n.n.n

    etc.

    Gordon
    Gordon Henderson, Nov 6, 2008
    #3
  4. In article <>,
    Jono <> wrote:
    >Gordon Henderson formulated on Thursday :
    >> In article <>,
    >> Jono <> wrote:
    >>> on 06/11/2008, Theo Markettos supposed :
    >>>> Jono <> wrote:
    >>>>> Hello,
    >>>>>
    >>>>> Anyone help me understand why, in the slightly inadequate logs of my
    >>>>> router, I might have an Opal Telecom IP address (78.150.205.141) as an
    >>>>> accepted inbound connection on port 5065?
    >>>>>
    >>>>> 5065 is part of a range forwarded to my Asterisk server.
    >>>>
    >>>> VOIP attack?
    >>>> http://www.ipcom.at/index.php?id=565
    >>>>
    >>>> Since SIP is UDP it's easy to fake the originator's address.
    >>>>
    >>>> Theo
    >>>
    >>> Hmm.
    >>>
    >>> Is there something I can type at the CLI to discover things?
    >>>
    >>> Netstat -a doesn't yield anything significant.

    >>
    >> On the asterisk box, you can start to run tcpdump (or tshark),
    >> so use sip show peers at the asterisk cli to get their ip addresses,
    >> then something like:
    >>
    >> tcpdump -n not host 1.2.3.4 and not host 3.4.5.6
    >>
    >> where those IP addresses are known IP addresses (given by sip show
    >> peers)
    >>
    >> Then you'll see all traffic that's not from sites you know. You'll see
    >> lots of other stuff too - lots of broadcasts from other machines on your
    >> LAN which if you know them, you can start to filter out with more
    >>
    >> and not host n.n.n.n

    >
    >Thanks....getting there.
    >
    >Why isn't there an opposite of NOT in this case?....or is there?


    Well yes, you just drop 'not' ... But it depends on what you're looking
    for - if you're looking for a know IP address then just put in there:

    host 1.2.3.4

    if you're looking for things you don't know, then you need to eliminate
    things you do know about first, so:

    not net 192.168.1.0/24

    will make it ignore your local network (if it's 192.168.1.0/24) and so
    on. (actually a very good thing if you're looking for remote stuff
    connecting in)

    So:

    tcpdump -n not net 192.168.1.0/24 and not host 81.31.100.110

    where 81.31.100.110 is the IP of a "known" peer will show up everything
    else.

    Check the manuals for more runes - the matcing stuff works with both
    thcpump and tshark (or wireshark)

    Gordon
    Gordon Henderson, Nov 7, 2008
    #4
  5. Theo Markettos

    alexd Guest

    Jono wrote:

    > Thanks....
    >
    > A different Opal Telecom IP has appeared (78.148.10.15).
    >
    > ...what can I glean from this..?
    >
    > root@pbx:~ $ tcpdump -v host 78.148.10.15
    > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
    > 96 bytes


    > 19:29:21.284879 IP (tos 0xa0, ttl 49, id 0, offset 0, flags [DF],
    > proto: UDP (17), length: 691) 78.148.10.15.epnsdp > 192.168.3.2.ca-2: UDP,
    > length 663


    78.148.10.15 is trying to send data to your port 5065.

    > 19:29:21.348057 IP (tos 0xc0, ttl 64, id 43954, offset 0, flags
    > [none], proto: ICMP (1), length: 576) 192.168.3.2 > 78.148.10.15: ICMP
    > 192.168.3.2 udp port ca-2 unreachable, length 556 IP (tos 0xa0, ttl 49,
    > id 0, offset 0, flags [DF], proto: UDP (17), length: 691)
    > 78.148.10.15.epnsdp > 192.168.3.2.ca-2: UDP, length 663[|icmp]


    No can do, Mr 78.148.10.15. The whole sequence is then repeated twice. You
    might do better by writing to a file [-w] then opening it up in Wireshark.
    You might want to add -s 0, then you can get the entire packet. There might
    even be some SIP headers in it. OTOH, are you sure that port 5065 isn't
    some commonly used P2P port, and you're being innocently probed by other
    peers?

    --
    <http://ale.cx/> (AIM:troffasky) ()
    23:24:50 up 23 days, 4:15, 1 user, load average: 0.00, 0.01, 0.02
    They call me titless because I have no tits
    alexd, Nov 7, 2008
    #5
  6. Theo Markettos

    alexd Guest

    Jono wrote:

    > So, it looks like nothing untoward is happeneing...?


    Without seeing the actual content of the packets, all we can do is
    speculate. The only information we have right now is source/destination
    port/IP address [aka a datagram socket] and the length of the packet.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    22:42:48 up 28 days, 3:33, 1 user, load average: 0.01, 0.04, 0.04
    They call me titless because I have no tits
    alexd, Nov 12, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. awallwork at sign gmail dot com

    WinXP Home SP2 Logs on then Logs off

    awallwork at sign gmail dot com, Oct 13, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    1,877
    Andrew
    Oct 16, 2004
  2. awallwork at sign gmail dot com

    Win XP SP2 Logs in then Logs out

    awallwork at sign gmail dot com, Oct 14, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    2,270
    Andrew
    Oct 16, 2004
  3. Andrew

    Win XP SP2 Logs in then Logs out

    Andrew, Oct 16, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    586
    mhicaoidh
    Oct 16, 2004
  4. Andrew
    Replies:
    15
    Views:
    7,031
    Gus Webb
    Oct 19, 2004
  5. Lester Lane

    Logs button not opening Logs GUI

    Lester Lane, Jun 29, 2009, in forum: Cisco
    Replies:
    6
    Views:
    493
    Lester Lane
    Aug 28, 2009
Loading...

Share This Page