Hello, 

If you don't use SIP for your calls I would turn that off. It sounds like someone is tiring to use your SIP option to do calls on your system. 

I disable SIP.  

What is the advantage of SIP? The previous manager set up all our units to use it.

So there have been multiple clients calling in these days asking why they get mystery Sip calls. Upon pulling the logs, you can easily find these SIPVicious messages.  As I understand it, Sipvicious  is a Voip audit tool that can be used to hack weak passwords on units. And it rings because PBX’s are not configured to direct sip calls to only the assigned number.

So, the steps we’ve been following for the HDX are as follows:

1.       If they do not need SIP

•  then disable SIP – WALA! Instantaneous fix.

2.       If they do need SIP enabled

• for security purposes , they should modify their remote access password to something more complex
• they should upgrade to the most recent firmware
• they should contact their PBX/VOIP provider and inform them to configure the network to only allow SIP destined to the VOIP devices from their own gateways
• they should put their SIP/VOIP devise behind a firewall and only allow it to be contacted by the provider . . . . ?

We have seen several HDX units here in the lab and our cubes being hit as well.  Yes turning off SIP works.

From this site….  http://threatpost.com/hackers-pushing-sipvicious-voip-tools-malicious-attacks-083111

Researchers at NSS Labs claim that they’ve spotted attacks that use Sipvicious, a common auditing tool for Voice over IP (VoIP) networks as part of malicious attacks aimed at taking control of vulnerable VoIP servers. The attacks are apparently aimed at taking control of VoIP servers to place unauthorized calls. 

A description of the attacks, posted on the NSS blog on Wednesday, says that researchers at NSS have witnessed the Sipvicious tool installed by a Trojan downloader program on systems, most of which had first been compromised in drive by Web site attacks. The attacks use a known Trojan, jqs.exe, and connect to command and control servers to receive instructions on downloading instructions as well as the sipvicious tool from a .cc domain. After installation, Sipvicious is run and scan for SIP devices on the compromised computer’s network and then to launch brute force attacks to guess the administrative password on those systems. 

SIP – or Session Initiation Protocol – is an IETF approved protocol that’s used for managing communication sessions including voice- and video-over-IP, instant messaging, file transfer and video conferencing. Though its name suggests otherwise, the Sipvicious program is a mainstream auditing too for VoIP systems. The tool is intended to aid administrators in evaluating the security of their SIP-based servers and devices.  

Rick Moy, the founder of NSS Labs, said the latest attacks seem designed to create a base from which attackers can make VoIP calls from the victim’s phone or VoIP infrastructure. Those calls might be used to rack up charges on premium rate numbers controlled by the attackers, or as part of voice phishing (vishing) scams that target unwitting consumers. 
Moy said the attack shows that even “good tools” can be used for malicious purposes. 
Attacks on VoIP infrastructure are becoming more common and are often traced back to underlying vulnerabilities in VoIP infrastructure. To date, there have been some arrests. In December, authorities in Romania disrupted a criminal group that was accused of hacking VoIP servers and using them to place bogus calls to premium numbers.