Another 50 Accounts Deleted

Just a quick note to the people that are attempting to use the sipsorcery service to hack SIP providers. It needs one SQL statement to delete all your accounts which are easily identifiable by your call detail records and dialplans. I’d be suprised if a new sipsorcery account can be created and configured in less than a minute. Assuming that it means nearly an hour of work creating new accounts was wiped out in 10 seconds!

只是快速照会人民正试图利用sipsorcery服务破解园区供应商。它需要一个SQL语句来删除所有的户口,很容易被你acll详细记录和dialplans识别。我会感到惊讶,如果一个新的sipsorcery帐户可以创建并在不到一分钟的配置。假设这意味着近一个创建新帐户的工作小时的前辈在10秒!

Regards,

Aaron

  1. Sashi’s avatar

    Nice! and maybe banning the ip from which they are registered would keep them out. Thanks for all your work.

    Reply

  2. Tuketu’s avatar

    Just curious. What are the abusers trying to do? Brute force account credentials at SIP providers, or something else?

    Reply

    1. sipsorcery’s avatar

      Yep they were trying a brute force approach to find accounts with weak passwords. In this case the provider looks to have a sequential scheme for allocating usernames so the abuser was simply incrementing through the usernames and trying a pssword of 123456 with each one.

      Reply

      1. Tuketu’s avatar

        Interesting. It would seem like they could code up a simple sip interaction to do the same thing from their own code base and clients. That would give them a lot more control over the process. Maybe they like cracking from sipsorcery because it gives them a layer of indirection…makes them feel more anonymous.

        Reply

      2. kashmiri’s avatar

        Hmm, a right move, naturally.

        Still, what disturbs me is that fact that you seem to have access to all users’ SIP passwords.

        I believe you should somehow ensure that all sensitive info is stored in an encrypted form, and no human being can have access to the decripted form. This should be mainly as a necessary precaution in case a hacker gains access to the sipsorcery database or sip server.

        Reply

      3. sipsorcery’s avatar

        A number of people have requested that passwords get encrypted. I will get around to it at some point and you or anyone else are welcome to patch the code in the meantime.

        As for me having access even with the passwords encrypted I will always be in a position to decrypt them. You’re overlooking the fact that the sipsorcery servers must be able to decrypt them.

        If you are not comfortable that I have access to the passwords, as others have not been in the past, you should not use teh service or should set up your own instance.

        Reply

Reply

Your email address will not be published. Required fields are marked *