Is this a Hack?

G

Gibran27703

New Member
Joined
Feb 10, 2008
Messages
88
Reaction score
0
Greetings all -

I was looking through my CDR and noticed these calls from a SIP channel, nothing I remember setting up:confused5:

The calls are less than 30 seconds at the most, they the channel is showing as SIP/199.173.94.80. The IP address doesn't resolve to host name, and doesn't ping either.

I have enclosed a text file with the recent calls from that channel.

Any ideas?

Thanks,
Nabil
 

Attachments

I think that this is worth some investigation.

review Ward's security primer, and check you have done everything you can.

Without more investigation, it would be difficult to comment on whether this is a hack.

Joe
 
I did a quick few searches on Google for that IP address and got a hit from http://www.sipdev.org/forum/download.php?id=73. You might want to take a look at the section snippet below and see if any of these IP addresses are yours. If not, then I'd start looking into seeing who else this IP is hitting and determining if it's a probe or a misdial. In any case, you'll want to ensure your secure before continuing.

Code: 
INVITE sip:[email protected];user=phone SIP/2.0
  Max-Forwards: 17
  Session-Expires: 3600;Refresher=uac
  Supported: timer
  To: <sip:[email protected]:5060;user=phone>
  From: <sip:[email protected]>;tag=3401796008-563771
  P-Asserted-Identity:<sip:[email protected];user=phone>
  Call-ID: [email protected]
  CSeq: 1 INVITE
  Via: SIP/2.0/UDP 204.215.64.46:5060;branch=88352e450150a7ae566e30cb8d188c05
  Contact: <sip:[email protected]:5060;user=phone>
  Content-Type: application/sdp
  Content-Length: 210
 
Hello Eric -

I saw that document last night, it goes back to 2007. So the IP address must belong to some provider that's been around at least for couple of years.

Thanks for the tip,

Nabil
 
Greetings all -

After digging around I found out the source IP SIP/199.173.94.80 is actually legitimate, it turned out one of my DIDs comes out of this gateway. I guess what confused me were the series of calls with destination "s" in CDR, it looked to me like a hack. My thoughts are some people are calling my DID and since it wasn't pointing to an extension, the destination was showing "s" and the calls lasting couple of seconds.

My joy short lived:banghead:

This morning I noticed series of entries in my CDR with an IP address in Malaysia, and source and CLID as "asterisk".

Here's snippet from the call log from this IP address 124.217.254.208.

4. 2009-06-13 23:39:01 SIP/124.21... asterisk "asterisk" s ANSWERED 00:15
What I'm confused about is the source and CLID showing as "asterisk", why did call report show them and what trunk/extension are they coming from?

I checked my trunks and extensions, I don't have any on my system.

Thanks ahead for any pointers.

Nabil
 
I think you are seeing the sort of thing discusse din this thread http://pbxinaflash.com/community/threads/hacking-attempts.3507/?t=3507

My understanding is (please someone correct me if I am wrong)- that what is happening is that anonymous unregistered SIP requests are coming into your PBX from someone hoping that you are allowing unregistered endpoints to make calls.

Since you probably are not allowing this, the call falls through to 's' while Asterisk thinks about it and decides it is not going to allow this request.

As I understand it, this is different from someone actually trying to register and brute-force attack your extensions/passwords - in which case fail2ban would kick in.

So my understanding is that, while it is irritating, it is not a huge cause for concern and they will hopefully get bored and go elsewhere eventually (please do correct me if I have got this wrong).
 
Last edited by a moderator:
Hello JB -

Thank you for the link, it helped ease my nervousness about the whole thing. I was getting a little paranoid about the whole thing, it's kind of scary to think how quick a box can be picked from the other side of the world.

I suppose time to crank up logging on the firewalls, Fail2BAN and IPtables, just in case:biggrin5:

Thanks again,

Nabil
 
Nabil,

I agree with JBH 100%. That is also my understanding. However, blocking that IP or the whole subnet in iptables would ease a lot of frustration. It depends on whether you're doing business in that part of the world. Keep the undesireables away from your box and you would be able to sleep a whole lot better.

Robin A.
 
Hello Guys -

I begun the process of placing filters on my Netscreen firewall, and this weekend I'm building a logging servers.

Thanks for the tips, I feel a little better about it now:biggrin5:

Nabil
 
You must log in or register to reply here.

Members online

No members online now.
Total: 35 (members: 0, guests: 35)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,259
Latest member
Fadeek86
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top