Strange connections to port 5060
Hello,
I have an openVZ server. I see from ntop that a host make connections to port 5060 often and make huge traffic. But i cant see exactly the ip of the virtual machine does this, i see the main's node ip instead. I tried to block traffic from/to 5060 from iptables but no luck. CentOS 6 64bit OpenVZ SolusVM Thanks |
Quote:
Is it one of your own systems, or does it come over the internet?Could you try to sniff the packages and post their headers here? |
extra infos
Quote:
Thanks! |
WireShark is an easy to use tool for this, there is a GnomeUI available for easy use (run it as root) there is a windows version available as well if you wish to run it from an other system (make sure you can sniff the network traffic of the other machine in this case, a good switch would prevent this from being possible)
http://www.wireshark.org/ |
tcpdump or tshark could be handy and work on the CLI.
|
Dump file
Quote:
Thank you for your time ! The dump OPTIONS sip:XX.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a To: <sip:xxx.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:39 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:xxx.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a To: <sip:xxx.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:39 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:39 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:39 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:39 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:53 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:53 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:53 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:53 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:16:53 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:17:07 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:17:07 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:17:07 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:17:07 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 OPTIONS sip:188.40.41.144 SIP/2.0 Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport Max-Forwards: 70 From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9 To: <sip:188.40.41.144> Contact: <sip:asterisk@217.23.94.3:5060> Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060 CSeq: 102 OPTIONS User-Agent: zte Date: Mon, 10 Dec 2012 13:17:07 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 |
add a filter to match the port you care about on the interface you care about... it's the same thing on wireshark tcpdump or tshark:
tshark -i eth0 tcp and port 5060 |
Mon Dec 10 14:42:08 2012
UDP 217.23.94.3:5060 --> 188.40.41.144:5060 | OPTIONS sip:188.40.41.144 SIP/2.0. Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK7b8b21c4;rport. Max-Forwards: 70. From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0c2a70d2. To: <sip:188.40.41.144>. Contact: <sip:asterisk@217.23.94.3:5060>. Call-ID: 694bfd032d1c7a184730b6d54953e578@217.23.94.3:5060. CSeq: 102 OPTIONS. User-Agent: zte. Date: Mon, 10 Dec 2012 13:42:05 GMT. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH. Supported: replaces, timer. Content-Length: 0. |
There you have the culprit.
|
Quote:
217.23.94.3 188.40.41.144 One of these should be yours then, so you are either from Germany or Russia. But all headers here have a content length mentioning of 0. So no real data seems to be send. The communication at least seems to go: Quote:
|
my server is in Germany, i dont have any user from Russia. Maybe is someone trying to hack an asterisk server? How can i get rid of those requests?
|
Hacking attempts are always a possibility. In general it's good policy to drop all traffic from a host connected to internet and only allow traffic coming in as necessary.
Code:
iptables -P INPUT DROP |
Bit late but another way would have been to execute commands inside each OpenVZ container. For example netstat:
Code:
vzlist -H -octid | while read CTID; do echo $CTID Code:
vzlist -H -octid | while read CTID; do echo $CTID Code:
vzlist -oname,hostname,ip,ostemplate,description |
wow!
Quote:
With those command i found the hacked container right away! Many thanks!!! |
Quote:
Like what's the Linux distribution it's running and minimal tool output: Code:
echo -en '#!/bin/bash --\nps axfwwwe -opid,ppid,gid,uid,cmd 2>&1\nlsof -Pwln 2>&1\nnetstat -anTpe 2>&1\nwho -a 2>&1\n' > /tmp/script.sh |
All times are GMT -5. The time now is 11:28 AM. |