Unfortunately, it's not my UA, so I've no idea. I just happened to notice this
in the logs, and started sniffing the packets and noticed this weird issue
with the garbled data.
It caught my attention as we've been getting hit CONSTANTLY with fraud
attempts through our service from various hacked IPs (proxied through). Most
of them originate in Egypt, Jordan, Morocco, and Palestine, but lately, we've
seen the IPs from all over (Germany, Sweden, Korea, etc). Some of these have
been proxied and attempted 'manually-created' headers to try and fool our
system. This caught my eye and I was wondering if there might be a legitimate
reason for it before I disabled the account out of sheer paranoia. :)
N.
On Mon, 26 Feb 2007 11:29:49 +0100, Atle Samuelsen wrote
hi
I might be wrong.. but do you have a zyxel router ? I've seen
simular on some zyxel stuff
-Atle
* Greger V. Teigre <greger(a)teigre.com> [070226 11:25]:
> Bad ALG?
> g-)
>
> sip wrote:
> >I'm getting an odd Via parsing error from SER 0.9.6:
> >Feb 23 16:52:49 death ser[17389]: error: parse_via_param Feb 23 16:52:49
death ser[17389]: ERROR: parse_via on: <sip/2.0/udp
>
>172.30.237.149:56755;branch=z9hg4bk-d87543-d75bc86d826ac929-1--d87543->
Feb
23 16:52:49 death ser[17389]: ERROR: parse_via
> > >parse error, parsed so
> > >far:<sip/2.0/udp
>
>172.30.237.149:56755;branch=z9hg4bk-d87543-d75bc86d826ac929-1--d87543->
Feb
23 16:52:49 death ser[17389]: ERROR:
> >get_hdr_field: bad via Feb 23 16:52:49 death
ser[17389]: ERROR:
parse_msg: message=<REGISTEl
> >sip:proxy.ideasip.com SIP/2.0> Feb 23
16:52:49 death ser[17389]: ERROR:
receive_msg: parse_msg failed
> >
> >When I look at the packet, it looks like the actual SIP data is somehow
> >getting garbled... with odd characters showing up in the middle of
headers, etc.
> >Any idea what might cause this?
> >
> >U 148.233.151.30:43764 -> XX.XX.XX.XX:5060
> >REGISTEl
sip:proxy.ideasip.com SIP/2.0.
> >Via: sip/2.0/udp
> >172.30.237.149:16240;branch=z9hg4bk-d87543-9332b73b5700e95c-1--d87543-.
> >Max-Forward2a:70.
> >Contactm:<sip:user@148.233.151.30:32332;rinstance=6c0c8351d99e79db>.
> >To: "mario"<sip:user@proxy.ideasip.com>.
> >From: "mario"<sip:user@proxy.ideasip.com>;tag=fe132761.
> >Call-ID: n2m5owi1odc4mzkznmm5mjflmzvmzmu3zgjmngqym2y..
> >CSe1h:1 register.
> >Expire1k:3600.
> >Allo0b:invite, ack, cancel, options, bye, refer, notify, message,
subscribe, info.
> >User-Agen5m:x-lite release 1006e stamp
34025.
> >Content-Lengthl:0.
> >
> >
> >As you can see... things like REGISTEl, Max Forward2a: Expire1k:
> >All these things look garbled. Would this be a transmission error of some
> >kind (the garbled headers are identical for each submitted packet, though, so
> >it seems unlikely) ?
> >
> >N. _______________________________________________
> >Serusers mailing list
> >Serusers(a)lists.iptel.org
> >http://lists.iptel.org/mailman/listinfo/serusers
> >
> >
> >
> _______________________________________________
> Serusers mailing list
> Serusers(a)lists.iptel.org
>
http://lists.iptel.org/mailman/listinfo/serusers