cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3442
Views
5
Helpful
12
Replies
rfrome
Beginner

VCS SIP abuse reported

I have a customer that was contacted by a third party with a complain about their VCS Expressway.

Below is what the third party provided my customer. (I've masked the customers IP address 205.x.x.x)

Has anyone seen anything such as this? I do not understand how a VCS would be transmitting out in this fashion.

Note: Local timezone is +0100 (CET)

Feb 15 02:01:41 nl-gw snort[817]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 205.x.x.x:5061 -> 62.97.226.34:5060

Feb 15 02:01:41 nl-gw snort[817]: [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 205.x.x.x:5061 -> 62.97.226.34:5060

thx,

rf

12 REPLIES 12
Danny De Ridder
Cisco Employee

Hello,

I have seen endpoints being under attack of this Sipvicious "tool". SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems.

http://code.google.com/p/sipvicious/

These are python scripts. Did somebody install this on the VCS?

Can you check the processes running on the VCS using root account?

E.g. netstat -apn | grep snort

I assume snort [817] is the process with PID 817.

I am not a VCS expert, but if VCS runs linux, can I have root access to your device to check/look for this port scanning software?