LinuxQuestions.org - Strange connections to port 5060

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Strange connections to port 5060 (https://www.linuxquestions.org/questions/linux-networking-3/strange-connections-to-port-5060-a-4175440768/)

Strange connections to port 5060

Hello,

I have an openVZ server. I see from ntop that a host make connections to port 5060 often and make huge traffic.

But i cant see exactly the ip of the virtual machine does this, i see the main's node ip instead.

I tried to block traffic from/to 5060 from iptables but no luck.

CentOS 6 64bit
OpenVZ
SolusVM

Thanks

Quote:

Originally Posted by linuxakias (Post 4846056)

a host

Could you try to be more specific.

Is it one of your own systems, or does it come over the internet?
Does your system request the connections first, or are they requested from your system?
And how is your virtual machine connected to the network, via NAT or Bridge?

Could you try to sniff the packages and post their headers here?

Quote:

Originally Posted by Air-Global (Post 4846119)

Could you try to be more specific.

Is it one of your own systems, or does it come over the internet?
it came over the internet

Does your system request the connections first, or are they requested from your system?
how can find out this?

And how is your virtual machine connected to the network, via NAT or Bridge?

via NAT

Could you try to sniff the packages and post their headers here?

what tool may i use to do this?

Thanks!

WireShark is an easy to use tool for this, there is a GnomeUI available for easy use (run it as root) there is a windows version available as well if you wish to run it from an other system (make sure you can sniff the network traffic of the other machine in this case, a good switch would prevent this from being possible)

http://www.wireshark.org/

tcpdump or tshark could be handy and work on the CLI.

Quote:

Originally Posted by Air-Global (Post 4846194)

Hello again !

Thank you for your time !

The dump

OPTIONS sip:XX.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:xxx.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:xxx.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:xxx.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

add a filter to match the port you care about on the interface you care about... it's the same thing on wireshark tcpdump or tshark:

tshark -i eth0 tcp and port 5060

Mon Dec 10 14:42:08 2012
UDP 217.23.94.3:5060 --> 188.40.41.144:5060 |

OPTIONS sip:188.40.41.144 SIP/2.0.
Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK7b8b21c4;rport.
Max-Forwards: 70.
From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0c2a70d2.
To: <sip:188.40.41.144>.
Contact: <sip:asterisk@217.23.94.3:5060>.
Call-ID: 694bfd032d1c7a184730b6d54953e578@217.23.94.3:5060.
CSeq: 102 OPTIONS.
User-Agent: zte.
Date: Mon, 10 Dec 2012 13:42:05 GMT.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH.
Supported: replaces, timer.
Content-Length: 0.

There you have the culprit.

Quote:

Originally Posted by linuxakias (Post 4846219)

From this i can only read the IP's:
217.23.94.3
188.40.41.144

One of these should be yours then,
so you are either from Germany or Russia.

But all headers here have a content length mentioning of 0. So no real data seems to be send.

The communication at least seems to go:

Quote:

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a
To: <sip:188.40.41.144>

so from Russia (user asterisk? do you have anything like this?) to Germany (Hetzner Online AG/188.40.41.144)

my server is in Germany, i dont have any user from Russia. Maybe is someone trying to hack an asterisk server? How can i get rid of those requests?

Hacking attempts are always a possibility. In general it's good policy to drop all traffic from a host connected to internet and only allow traffic coming in as necessary.

Code:

iptables -P INPUT DROP

iptables -A INPUT -p udp --dport 5060 -s hostineedtoallowin -j ACCEPT

Bit late but another way would have been to execute commands inside each OpenVZ container. For example netstat:

Code:

vzlist -H -octid | while read CTID; do echo $CTID

 vzctl exec $CTID "netstat -antupe|grep :5060"; done

though note it only makes sense if these networked processes are (still) running, or search for processes named "asterisk":

Code:

vzlist -H -octid | while read CTID; do echo $CTID

 vzctl exec $CTID "pgrep -lf asterisk"; done

plus you can use 'vzlist' to enumerate running hosts by any specs you want:

Code:

vzlist -oname,hostname,ip,ostemplate,description

*While you may have no problem with (or contractual stipulations against) any of your clients running them, finding unauthorized SIP / VoIP applications / connections is cause for concern. VoIP billing fraud is not uncommon, basically the "modern" version of the old dial-up trick. While firewall rules may mitigate the situation I'd inspect the container making the calls closely.

Quote:

Originally Posted by unSpawn (Post 4846242)

Bit late but another way would have been to execute commands inside each OpenVZ container. For example netstat:

Code:

vzlist -H -octid | while read CTID; do echo $CTID

 vzctl exec $CTID "netstat -antupe|grep :5060"; done

though note it only makes sense if these networked processes are (still) running, or search for processes named "asterisk":

Code:

vzlist -H -octid | while read CTID; do echo $CTID

 vzctl exec $CTID "pgrep -lf asterisk"; done

plus you can use 'vzlist' to enumerate running hosts by any specs you want:

Code:

vzlist -oname,hostname,ip,ostemplate,description

With those command i found the hacked container right away! Many thanks!!!

Quote:

Originally Posted by linuxakias (Post 4846249)

With those command i found the hacked container right away! Many thanks!!!

Easy, easy... I would very much like to know what's going on inside that host. Could you post some information?
Like what's the Linux distribution it's running and minimal tool output:

Code:

echo -en '#!/bin/bash --\nps axfwwwe -opid,ppid,gid,uid,cmd 2>&1\nlsof -Pwln 2>&1\nnetstat -anTpe 2>&1\nwho -a 2>&1\n' > /tmp/script.sh

chmod 0755 /tmp/script.sh

# replace "[CTID]" with the actual container Id:

vzctl runscript [CTID] /tmp/script.sh 2>&1 | tee /tmp/output.txt

[EDIT]Oh, and please don't kill or delete anything in the container until it's been looked at.[/EDIT]