Am I being Hacked?

R

rmlworld

Member
Joined
Dec 31, 2007
Messages
59
Reaction score
0
Last night I started getting calls from CID "asterisk" Today I started looking at my logs and I have a bunch of inbound calls from a SIP Channel with IP Address that points back to China. It is annoying that these people keep trying to call me. How do I block their calls? I don't think they are calling in on any of my trunks...

222 is one of my extensions so everytime it hit 222 I answered the dead end call...

Example of one channel I would like to block is: SIP/119.147.116.157-00bb4d50

How would I do this?

FreePBX_%20Call%20Detail%20Reports.jpg
 
Edit /etc/sysconfig/iptables and search for the following line:

-A INPUT -m state --state RELATED -j ACCEPT
Click to expand...


Immediately after this line, add lines like this for each IP address you wish to block:

-A INPUT -s 192.168.2.68 -j DROP
-A INPUT -s 93.190.143.10 -j DROP
Click to expand...


Save the file: Ctrl-X, Y, then Enter.

Then reload IPtables:

service iptables stop
service iptables start
Click to expand...
 
Thanks to you both for the quick replies...

Thanks so much to you both for the quick replies. The PBX in A Flash community totally rocks. Posted a question and within 3 hours I have 2 awesome responses. Thanks!!!
 
Hi

I'm assuming that you have allow anonymous SIP calls set to yes.

I would make sure that you only have the DID you actually own are listed in inbound routes.

Then change the catchall (_. or blank) to point at hangup.

Then the only people who can ring you are people who know your number.

Joe
 
Saw the same thing here in atlanta ---

67 attempts -- all to ss-noservice them stoped..

Same three IPs...

119.147.116.157
121.14.149.145
117.41.229.145

-------------------------
 
My iptables looks like this: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Could I add this:
RH-Firewall-1-INPUT -s 192.168.2.68 -j DROP after the ACCEPT Line?
 
Ward - How would you block all IP address in this same octet range in the example (93.190.143.10) you have above?
 
I'm getting something similar . . .

Except that it shows my ip address rather than the originating ip. Also the calls go to a dahdi extension. Its odd that the calls are directed to that number since it is not an even number and it is 4 digits. Its a fxo port with a cordless phone connected. The cordless is used with follow-me from desk sets, so it is never dialed directly. It doesn't have voicemail so it rings until answered. When answered, there is no one there. Since its not dialed directly, I set the destination to hangup. What I can't figure out is why the ip shows my ip rather than the origin. I'd really like to figure out where its coming from and raise hell with the ISP. Its been happening since last afternoon about once every two hours.
 
Joe -

What about the idea of routing the catchall to a remote ext that forwards to your cell phone instead of "hangup" that away you can be notified when the attempt is happening and you can then edit /etc/sysconfig/iptables as Ward has suggested?
 
Update

Just found out why the call is going to the dahdi extension. I had an inbound route with blank did pointed to that extension. Would still like to find out where the calls are originating. Also, they are reporting a caller id number, but it is not a USA number and is different every time.
 
funny (or maybe not...) I noticed some unusual stuttering during a few calls today, and then a couple random dropped calls, and decided to check my call logs.

Im also getting a few strange entries in my channel column from SIP/XXX.XXX.XXX.XXX--my own IP address. Like above, these calls also go to the s extension and have duration of 0.

I checked the call records from Vitelity and none of these show up in their records. Does this mean that these calls were indeed terminated at my end?

The numbers listed as destinations are strange:
1929533604
15697260164292500
39138807511758100000
...etc

Here's an image of the 10 calls I received today (none others apparently since Jan 1 2010):
strangechannel.jpg



Getting back to the channels used, how can these be from SIP/XXX.XXX.XXX.XXX...which is my own IP address?

Lastly, I decided to shutdown my PBX temporarily as a stopgap...

thx
PP

Edit: just wanted to mention that my IP tables restrict all external traffic to this box except that from Vitelity's domain:
Accept If protocol is UDP and source is outbound.vitelity.net and destination port is 5000:5082
Accept If protocol is UDP and source is 192.168.0.0/255.255.0.0 and destination port is 5000:5082

On my firewall (DD-WRT) I have 2 Port Range Forwards:
1000-20000 UDP forwards to IP of my PBX
5060-5062 UDP forwards to IP of my PBX

Finally, Allow Anonymous Inbound SIP Calls is set to NO.

I think (thought) this box was pretty well insulated against this sort of thing...How is this traffic getting through??

Any clues?
 
I wouldn't

I wouldn't post my actual ip. Hope its not your real one. I know they can be found by doing some hacking from posts, but I wouldn't want to make it any easier for someone. If they want information they have to dig for it. I know they can, but still don't give it to them. The numbers you list are like the ones I'm seeing such as different lengths of digits. I can't find a pattern. As to your question about the channel, I'd like to know as well. I can't find any way to trace it back to the origin. This sounds like something new so maybe collectively we can stay ahead of the invaders. I pm'd anonymous that was collecting info about hacks but haven't heard back.
 
^^Probably a good idea...changed my IP....but IP's are really easy to determine if you know how...

PP

Edit brought my PBX back online but disabled the port-range forwards...so I can still poke around in logs etc..no entries in fail2ban...
 
Looking more closely at the times those calls were made to my system, they are almost exactly 1 hour apart...

here's something else strange: I searched my call logs from 1/1/09 to present for source = asterisk and found some calls just like the OP, except 3 days earlier:
similar.jpg


As they say, something must have been making the rounds...luckily these dont show up in Vitelity call records either
 
I will

Check to see if I can isolate the calls. This is a functioning system and they are amidst other activity. Updating now and can't look at cdr.
 
I saw the same thing others have reported above in the last two days. I got a slew of calls from a random 10-20 digit number. The calls didn't come in through any of my existing inbound routes so I have no idea where they came from. Whatever probing is occuring only managed to make my phones ring, but that's annoying enough when it happens before 6am!

Any ideas? I'd be willing to send logs to somebody that can read them better than I can.
 
I am running Ipbx! Mine's just an older installation. I think I put it in about a year ago. I assume that anybody with one of these older installations (with ports open) is vulnerable to this annoyance.
 
I too am running a fresh install of Incredible PBX (installed on the 17th of this month) had same types of entries in call logs. I set the Catch All inbound route as suggested and added the ip address in iptables.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 69 (members: 0, guests: 69)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,411
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top