Someone hacked my extension and I need help getting logs for police

[cramerjd]

Someone hacked on of the temporary extensions I created for a week. It didn't cost me more then a few bucks but I filed a police report and need to find the IP of the user that used the extension illegally. I looked in the Full, CDR, and Event logs in /var/log/asterisk but found no IP's.

I have the callers number I think as he was stupid enough to call himself first before autodialing 220 people.

I still would like help getting the IP if anyone knows how so I can make sure they nail 'em.

Thanks in advance.

 

[jehowe]

Anytime an extention registers, you will find a registration entry for that extension with the IP address visible in the asterisk log. It will look something like this:

[2009-02-22 12:57:43] VERBOSE[3449] logger.c:     -- Registered SIP '207' at 192.168.1.207 port 5060 expires 3600

Glad it didn't cost you much, and I'm guessing you either didn't have fail2ban running, or had a password matching the extension number- both huge no-no's in the world of voip. Lately, I've been reading about unscrupulous international wholesale operators scamming both users & providers http://www.dslreports.com/forum/r21953688-Outbound-call-being-hijacked

 

[cramerjd]

Anytime an extention registers, you will find a registration entry for that extension with the IP address visible in the asterisk log. It will look something like this:

[2009-02-22 12:57:43] VERBOSE[3449] logger.c:     -- Registered SIP '207' at 192.168.1.207 port 5060 expires 3600

Glad it didn't cost you much, and I'm guessing you either didn't have fail2ban running, or had a password matching the extension number- both huge no-no's in the world of voip. Lately, I've been reading about unscrupulous international wholesale operators scamming both users & providers http://www.dslreports.com/forum/r21953688-Outbound-call-being-hijacked

Thanks, it was a really simple password. like I said it was only temporary and the extension number was long enough itself that I though it too upscure to find. Lesson for all here.

Which log are you referering too? I did a search for sum of the parts of your post and aren't finding anything??

 

[cramerjd]

BTW, we called the number that was first in the CDR and freaked the guy right out. Cops rock.

 

[jehowe]

It's the full asterisk log- /var/log/asterisk/full You can get to it from the freePBX interface, but, I believe it overwrites oldest entries to keep from filling up the drive.....

 

[mark-hc]

Yay!

I hope you get him. Make the news...

 

[jroper]

Hi

We've been experiencing this problem

http://www.dslreports.com/forum/r219...being-hijacked

It's encouraging to see someone else is getting it as well, maybe my carrier will take notice of my fault reports!

Joe

 

[jehowe]

Hi

We've been experiencing this problem

http://www.dslreports.com/forum/r219...being-hijacked....

Sorry to hear this Joe.

 

[jroper]

Fortunately, we have got a number of carriers, and this was prevalent on only one one carrier to one destination, so a bit of re-routing, and we seem to be good at the moment. The issue is that it cannot be replicated on demand. so despite numerous recordings, and examples it never seem to be tracked down.


Joe

 

[TomS]

Simple script to gather the SIP info:

cd /var/log/asterisk
ls -l full*
grep "Registered SIP" full*

This will search all of the available full.x files and grab just the records with the string "Registered SIP" in them.
Hope this helps!

Thanks
Tom

 

[cramerjd]

cd /var/log/asterisk
ls -l full*
grep "Registered SIP" full*

This will search all of the available full.x files and grab just the records with the string "Registered SIP" in them.
Hope this helps!

Thanks
Tom

You're the man, feel free to POD 212.12.148.109.

 

[TomS]

I thought I posted these commands yesterday???

cd /var/log/asterisk
pwd
ls -l full*
grep "Registered SIP" full*

This should give you the list if SIP to IP Addresses.
Hope this helps!
Thanks
TomS

 

[cramerjd]

cd /var/log/asterisk
pwd
ls -l full*
grep "Registered SIP" full*

This should give you the list if SIP to IP Addresses.
Hope this helps!
Thanks
TomS

You DID!! and it worked, see my other post

 

[TomS]

An additional watch script for Registrations:

Glad it helped!
I was having problems seeing the second page of the postings.

Also, here is a simple watch script to see when someone registers either SIP or IAX2:

You will have to hit Cntl-C to break out of the script:

cd /var/log/asterisk
tail -f full | egrep "Registered SIP|Registered IAX2"

This will show you as a user registers.
You can use this type of script to watch for "failed for" registrations, etc.
Just review the /var/log/asterisk/full log file looking for strings to use.
Glad to be of assistance - sorry about the mix-up.
Thanks
TomS

 

[angoyr]

Thanks to the team at PIAF for keeping security at forefront of development.
IPtables and Fail2ban are doing a great job but in my opinion, Fail2ban is a reactive solution. What we need is a proactive solution. With fail2ban's findtime, there is too much time between checks of the logs.

This is what I received:
The IP 92.82.128.92 has just been banned by Fail2Ban after
901 attempts against ASTERISK.

I was hoping someone has a soultion whereby login attempts to Asterisk are checked live as in SSH or Webmin. After three attempts you get kicked off.

901 attempts in 10 seconds is a little scary. (See the first and last three(3) log entries.)
[2009-02-24 03:15:45] NOTICE[3549] chan_sip.c: Registration from '"3382602603"<sip:[email protected]>' failed for '92.82.128.92' - No matching peer found
[2009-02-24 03:15:45] NOTICE[3549] chan_sip.c: Registration from '"100"<sip:[email protected]>' failed for '92.82.128.92' - No matching peer found
[2009-02-24 03:15:45] NOTICE[3549] chan_sip.c: Registration from '"101"<sip:[email protected]>' failed for '92.82.128.92' - No matching peer found

Last 3:
[2009-02-24 03:15:55] NOTICE[3549] chan_sip.c: Registration from '"997"<sip:[email protected]>' failed for '92.82.128.92' - No matching peer found
[2009-02-24 03:15:55] NOTICE[3549] chan_sip.c: Registration from '"998"<sip:[email protected]>' failed for '92.82.128.92' - No matching peer found
[2009-02-24 03:15:55] NOTICE[3549] chan_sip.c: Registration from '"999"<sip:[email protected]>' failed for '92.82.128.92' - No matching peer found

Any help would be appreciated.

 

[Cliffster]

Okay, so what I am seeing is this:

[Jul 24 04:50:04] NOTICE[2737] chan_sip.c: Registration from '<sip:xxx.xxx.xxx.50>' failed for 'xxx.xxx.xxx.51' - No matching peer found

It occurs once every hour all day long. The .50 IP is the PBX, and .51 is one of the three IP phones that I have.

Is my PBX doing this or is this a hack attempt?

I have strong passwords on the Grandstream phones. I think that port 5060 is closed on the firewall although that is controlled by someone else in another country actually.

 

[Cliffster]

I should add that all is working, too. Fail2Ban seems to be doing it's job, just dandy. Just a bit concerned as to whether this rookie can do more. I don't like fail messages.

 

[gomonn]

Either you have one device misconfigured, or there is indeed someone trying to register a phone on your pbx ... If port 5060 is closed on the firewall, it might be something on your network. I would check with the firewall admin ... Had thousands of those on 2 asterisk boxes when started here. Added an ACL on our gateway, since then, nothing ..... BTW, you should have the ip of the device trying to register ....

In my case, the crackers probably had a script, they would start on ext 1000 up to 9999 ...

 

[Snapdragon]

Does Asterisk support syslog in any way? It would be beyond awesome if I could get a daemon.Error to my syslog reporting tool when someone fails to register.

 

[darbeau]

I would recommend Splunk for looking at logs. I have it install on all my PIAF machines, and makes searching through logs a breeze.

www.splunk.com They do have a free version that I use. One word, Awesome.