Last Updated: 2009-02-13 23:52:33 UTC
by Kevin Liston (Version: 1)
A reader wrote in to ask about the uptick in port 5060 activity (visible here: isc.sans.org/port.html?port=5060)
Looking at my own sensors, I saw the traffic yesterday for about an hour as an IP address out of Canada swept through my network with packets destined for UDP/5060. These were SIP requests searching for an open VoIP system.
UDP packets can be spoofed, but this appears to be scanning activity so the attacker is going to expect a reply, so I'm fairly confident that the source IP is legitimate. This activity is likely tied to recent criminal enterprises intent on compromising vulnerable VoIP systems that can be later used to distribute vishing messages or even host vishing sites.