Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is it a SIP Recon scan or something else
It seems that there have been some reports of calls on SIP devices over the last couple of days with a caller ID of ?John Doe <4000>?.

According to an article on's blog site FreePBX :

"This does seem to be a world first - It?s someone, or something, actively scanning the entire internet for misconfigured SIP devices."

Is someone or something testing for a hole or are they checking for systems that are vulnerable to some exploit? According to article SIP uses port 5060.  A quick look at the DShield report for port 5060 there has been some activity on this port but nothing significant.  It will be interesting to see just how wide spread this is.  If you are using an SIP device and have seen this activity on your system let us know. If you have any thoughts or ideas regarding this activity tell us about it.

Thanks to Babak for sending us this information.


279 Posts
ISC Handler
Oct 7th 2006

Sign Up for Free or Log In to start participating in the conversation!