Identification of hack attempts

for the past few days, I’ve seen (few) errors on my cli saying

Failed to authenticate device 'or''='<sip:'or''='@ipofmyserver>;tag=92e0d607

Obviously a hack attempt,

Does anyone know which tool is being used for this attack, or which exploit they are using ?


This is not a hack attempt for sure, can be easily a wrong authentication.
You don’t have to worry about it, because the unauthenticated users can’t make calls through Asterisk…

Enable logging of security events in your logger.conf file, check the source IP for the failed authentication attemps and if is not a trusted IP, for sure it is a hacking attempt, this type of attack can be directed using SIPVicious and other tools and scripts available on the WWW

Frustrated attempts are normal.

The vulnerabilities that the exploits generally attack are external to Asterisk: human error in selecting passwords and failure to block unwanted traffic at the network periphery.

They are basically looking to guess the credentials for a local phone that has the ability to make chargeable outbound calls.

If they succeed you won’t see errors and warnings, just large phone bills.

Thanks for the answers,

Based on the ip, it is obvious to me that it is a hack attempt. What intrigued me is the format of the SIP string sent, which reminds me of some strings used for SQL injection - Hence the question, is that a known vulnerability - ie use a funky string as sip identifier, and you will get authenticated whatever the password you submit ?

You didn’t use “unformatted text” so the string is all mangled in my browser.

Weird, I used it ! Here is an image of the string: