QUESTION Weird Logs

Stewart

Stewart

Guru
Joined
Sep 16, 2009
Messages
603
Reaction score
6
I know what this stuff does and what it means, the problem is that the IP that is being shown (which I've changed to 1.2.3.4) is the external IP of the network that the PBX and phones are on. I know those aren't valid extensions on the system and all of the phones are connected via the Aastra scripts. Would one of the PCs on the network have an infection, perhaps?

[2014-06-17 23:04:32] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=20f39538
[2014-06-17 23:07:17] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 666<sip:[email protected]>;tag=be936949
[2014-06-17 23:07:18] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 666<sip:[email protected]>;tag=be936949
[2014-06-17 23:08:00] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 209<sip:[email protected]>;tag=f6de531e
[2014-06-17 23:08:00] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 209<sip:[email protected]>;tag=f6de531e
[2014-06-18 00:00:40] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=1f4764aa
[2014-06-18 00:16:02] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 0123456<sip:[email protected]>;tag=9a00aa0a
[2014-06-18 00:16:02] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 0123456<sip:[email protected]>;tag=9a00aa0a
[2014-06-18 00:56:50] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=a9b77130
[2014-06-18 01:28:05] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 0123456<sip:[email protected]>;tag=258749ad
[2014-06-18 01:28:06] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 0123456<sip:[email protected]>;tag=258749ad
[2014-06-18 01:53:01] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=69c65859
[2014-06-18 02:40:34] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 0123456<sip:[email protected]>;tag=ac28a747
[2014-06-18 02:40:34] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 0123456<sip:[email protected]>;tag=ac28a747
[2014-06-18 02:49:05] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=95271e3a
[2014-06-18 03:46:03] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=3271228b
[2014-06-18 04:43:05] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=7413e70b
[2014-06-18 05:38:45] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=53610f56
[2014-06-18 06:34:26] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=6b5dbce4
[2014-06-18 07:30:08] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=52694c46
[2014-06-18 08:26:49] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=4ffd16ff
[2014-06-18 09:20:41] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=24601d59
[2014-06-18 10:18:00] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=b58e8dc0
[2014-06-18 11:14:45] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=1025e9ac
[2014-06-18 11:50:24] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 209<sip:[email protected]>;tag=da8276e3
[2014-06-18 11:50:25] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 209<sip:[email protected]>;tag=da8276e3
[2014-06-18 11:54:00] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=07d92c30
[2014-06-18 11:54:00] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=07d92c30
[2014-06-18 11:54:02] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=c5d259ea
[2014-06-18 11:54:02] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=c5d259ea
[2014-06-18 11:54:04] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=f1cb505c
[2014-06-18 11:54:04] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=f1cb505c
[2014-06-18 11:54:06] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=0c2b6bca
[2014-06-18 11:54:06] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=0c2b6bca
[2014-06-18 11:54:07] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=77137dee
[2014-06-18 11:54:08] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=77137dee
[2014-06-18 11:54:09] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=538b1883
[2014-06-18 11:54:10] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=538b1883
[2014-06-18 11:54:12] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=50dc9a9e
[2014-06-18 11:54:12] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=50dc9a9e
[2014-06-18 11:54:13] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=d15f0980
[2014-06-18 11:54:14] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=d15f0980
[2014-06-18 11:54:15] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=bf3255e9
[2014-06-18 11:54:16] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=bf3255e9
[2014-06-18 11:54:17] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=61077fe6
[2014-06-18 11:54:18] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=61077fe6
[2014-06-18 11:54:19] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=4aec591f
[2014-06-18 11:54:20] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=4aec591f
[2014-06-18 11:54:21] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=9d5aa644
[2014-06-18 11:54:22] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=9d5aa644
[2014-06-18 11:54:23] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=de82b65c
[2014-06-18 11:54:24] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=de82b65c
[2014-06-18 11:54:25] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=82e8b8f6
[2014-06-18 11:54:25] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=82e8b8f6
[2014-06-18 11:54:26] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=342b5ba7
[2014-06-18 11:54:27] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 101<sip:[email protected]>;tag=342b5ba7
[2014-06-18 12:10:40] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=7cb9b430
[2014-06-18 13:06:24] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=2751bdbb
[2014-06-18 14:03:27] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1000<sip:[email protected]>;tag=46bd3723
[2014-06-18 14:18:05] NOTICE[3197] chan_sip.c: Sending fake auth rejection for user 1001<sip:[email protected]>;tag=b905e8d7
 
Stewart

In Asterisk SIP Settings, do you have Allow SIP Guests enabled? Disable it if you don't need it and this should stop this behaviour.
 
Scanners are trying to place calls as sip:user@yourIP - just as your phones do.

The IP shown in the log message doesn't indicate that the auth was coming from your own network, just that this was the SIP URI that was attempting to authenticate. Turn on sip debugging and you'll see where they are actually coming from.
 
Stewart said:
Right, but how would it show from my own External IP?
Click to expand...

I ran into this almost two years ago with the same question you have. It has to do with the way Asterisk logs this particular "intrusion" which makes it useless when running fail2ban.

In my search for an answer, I ran into unofficial hacks for Asterisk (1.8.x; which I'm still on) for getting the attacking IP logged when this type of activity happened. In the end, it was easier to just disable Allow SIP Guests and be done with it. Nowadays, I white-list the IPs I need to communicate with at the firewall and have it drop traffic from anything else.

Do like billsimon suggests if you want to see the actual IPs, however.
 
Ah. I assumed the IP shown was the IP it was coming from. Thanks!
 
You must log in or register to reply here.

Members online

No members online now.
Total: 29 (members: 0, guests: 29)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top