Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

ForumsWorldxChange / XNet / VFXAsterisk security breach


44 posts

Geek
Topic # 77596 18-Feb-2011 10:07 Send private message

Hi all,

I had a strange call this morning with no voice at the other end, and went into the logs and had a look. It turns out there are 2 IP's that have in some way gotten into the system, although I am running fail2ban with iptables!
Since I am not an Asterisk guru, can anyone please explain if the logs below are of suspicious activity, and if yes what can I do to lock them out??

Here is the Asterisk log with their attemps....

[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:1] NoOp("SIP/63.247.141.210-08d257e0", "Received in
coming SIP connection from unknown peer to 00011442073479999") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:2] Set("SIP/63.247.141.210-08d257e0", "DID=00011442
073479999") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:3] Goto("SIP/63.247.141.210-08d257e0", "s|1") in ne
w stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (from-sip-external,s,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/63.247.141.210-08d257e0", "1?from-trunk|000114420734
79999|1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (from-trunk,00011442073479999,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-trunk:1] NoOp("SIP/63.247.141.210-08d257e0", "Catch-All DID Matc
h - Found 00011442073479999 - You probably want a DID for this.") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-trunk:2] Goto("SIP/63.247.141.210-08d257e0", "ext-did|s|1") in n
ew stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (ext-did,s,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:1] Set("SIP/63.247.141.210-08d257e0", "__FROM_DID=s") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/63.247.141.210-08d257e0", "app-blacklist-check|s|1") in new sta
ck
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/63.247.141.210-08d257e0", "") in new stac
k
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/63.247.141.210-08d257e0", "0?blacklisted") in new
stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/63.247.141.210-08d257e0", "") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/63.247.141.210-08d257e0", "0 |Set|CALLERID(name)=asterisk") in
 new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:4] SetMusicOnHold("SIP/63.247.141.210-08d257e0", "acc_1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:5] Set("SIP/63.247.141.210-08d257e0", "__MOHCLASS=acc_1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:6] Set("SIP/63.247.141.210-08d257e0", "FAX_RX=110") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:7] Set("SIP/63.247.141.210-08d257e0", "FAX_RX_EMAIL=9619625@gmail.com") in ne
w stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:8] Answer("SIP/63.247.141.210-08d257e0", "") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:9] PlayTones("SIP/63.247.141.210-08d257e0", "ring") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:10] NVFaxDetect("SIP/63.247.141.210-08d257e0", "0|t") in new stack
[2011-02-18 07:16:26] DEBUG[25340] app_nv_faxdetect.c: Preparing detect of fax (waitdur=4ms, sildur=1000ms, mindur=100ms, maxdur=-1ms)
[2011-02-18 07:16:27] DEBUG[25340] app_nv_faxdetect.c: Got hangup
[2011-02-18 07:16:27] VERBOSE[25340] logger.c:   == Spawn extension (ext-did, s, 10) exited non-zero on 'SIP/63.247.141.210-08d257e0'


and


[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:1] NoOp("SIP/194.28.112.33-08d23150", "Received inc
oming SIP connection from unknown peer to 00011442073479999") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:2] Set("SIP/194.28.112.33-08d23150", "DID=000114420
73479999") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:3] Goto("SIP/194.28.112.33-08d23150", "s|1") in new
 stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (from-sip-external,s,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/194.28.112.33-08d23150", "1?from-trunk|0001144207347
9999|1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (from-trunk,00011442073479999,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-trunk:1] NoOp("SIP/194.28.112.33-08d23150", "Catch-All DID Match
 - Found 00011442073479999 - You probably want a DID for this.") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-trunk:2] Goto("SIP/194.28.112.33-08d23150", "ext-did|s|1") in ne
w stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (ext-did,s,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:1] Set("SIP/194.28.112.33-08d23150", "__FROM_DID=s") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/194.28.112.33-08d23150", "app-blacklist-check|s|1") in new stac
k
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/194.28.112.33-08d23150", "0?blacklisted") in new s
tack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/194.28.112.33-08d23150", "0 |Set|CALLERID(name)=asterisk") in
new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:4] SetMusicOnHold("SIP/194.28.112.33-08d23150", "acc_1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:5] Set("SIP/194.28.112.33-08d23150", "__MOHCLASS=acc_1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:6] Set("SIP/194.28.112.33-08d23150", "FAX_RX=110") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:7] Set("SIP/194.28.112.33-08d23150", "FAX_RX_EMAIL=9619625@gmail.com") in new
 stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:8] Answer("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:9] PlayTones("SIP/194.28.112.33-08d23150", "ring") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:10] NVFaxDetect("SIP/194.28.112.33-08d23150", "0|t") in new stack
[2011-02-18 07:22:13] DEBUG[25365] app_nv_faxdetect.c: Preparing detect of fax (waitdur=4ms, sildur=1000ms, mindur=100ms, maxdur=-1ms)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:11] Set("SIP/194.28.112.33-08d23150", "__CALLINGPRES_SV=allowed_not_screened"
) in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:12] SetCallerPres("SIP/194.28.112.33-08d23150", "allowed_not_screened") in ne
w stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:13] Goto("SIP/194.28.112.33-08d23150", "timeconditions|2|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (timeconditions,2,1)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [2@timeconditions:1] GotoIfTime("SIP/194.28.112.33-08d23150", "08:00-17:00|mon-fri|1-31|
jan-dec?ext-group|600|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [2@timeconditions:2] Goto("SIP/194.28.112.33-08d23150", "ext-group|601|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (ext-group,601,1)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [601@ext-group:1] Macro("SIP/194.28.112.33-08d23150", "user-callerid|") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:1] Set("SIP/194.28.112.33-08d23150", "AMPUSER=asterisk") in new s
tack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:2] GotoIf("SIP/194.28.112.33-08d23150", "0?report") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: GotoIf
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:3] ExecIf("SIP/194.28.112.33-08d23150", "1|Set|REALCALLERIDNUM=asterisk") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: ExecIf
[2011-02-18 07:22:18] DEBUG[25365] func_db.c: DB: DEVICE/asterisk/user not found in database.
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:4] Set("SIP/194.28.112.33-08d23150", "AMPUSER=") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] DEBUG[25365] func_db.c: DB: AMPUSER//cidname not found in database.
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:5] Set("SIP/194.28.112.33-08d23150", "AMPUSERCIDNAME=") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:6] GotoIf("SIP/194.28.112.33-08d23150", "1?report") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (macro-user-callerid,s,10)
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: GotoIf
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:10] GotoIf("SIP/194.28.112.33-08d23150", "0?continue") in new stack


Does anyone know what the intruder is trying to do?


Thnks all for the help!

Create new topic
755 posts

Ultimate Geek
  Reply # 441065 18-Feb-2011 11:02 Send private message

You know all those threads/news about random cold calls from computer fixing companies...

A lot of them work by hacking PABX/SIP trunks and dialling out local calls to connect them to india etc ;)

not saying this is whats happening here (im no Voip/SIP expert), but its quite likely an attempt at such?



44 posts

Geek
  Reply # 441069 18-Feb-2011 11:06 Send private message

Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...

755 posts

Ultimate Geek
  Reply # 441074 18-Feb-2011 11:11 Send private message

Oh my.

Google the incomming number minus a 0. Quite a few hits

http://www.networksystemssolutions.eu/voipblocklist.php



44 posts

Geek
  Reply # 441084 18-Feb-2011 11:17 Send private message

Looks like 194.28.112.33 is an IP that actually does SIP hacking... S$!t!!!
I will keep an eye on it and see what is happening...

622 posts

Ultimate Geek

Subscriber
  Reply # 441099 18-Feb-2011 11:37 Send private message

Have a look at your call records on viewbill to see what they have done.



44 posts

Geek
  Reply # 441103 18-Feb-2011 11:47 Send private message

Unfortunately I haven't got acess to viewbill.
I don't see any calls made on my Asterisk logs though...

BDFL
43674 posts

Uber Geek

Administrator
Trusted
Geekzone
Subscriber
  Reply # 441111 18-Feb-2011 12:01 Send private message

Also, mind you, if any outcalls were made you are responsible for them, in terms of costs (http://www.geekzone.co.nz/forums.asp?forumid=95&topicid=57078)





Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blogtechnology disclosure, my tweets, Web Performance Optimization

Geekzone Price comparison | Amazon Kindle order page | How to get the best out of Geekzone | New Zealand IT Jobs | Geekzone News | Jinglebugs 



44 posts

Geek
  Reply # 441112 18-Feb-2011 12:02 Send private message

I am aware of that... That's why I am looking into it!!! :-)

16699 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Subscriber
  Reply # 441114 18-Feb-2011 12:10 Send private message

grkiwi: Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...


Setting this to YES is the simplest way to get hacked. Many people set it to yes because they can't get their inbound routes matching properly with some VoIP providers.

If you want to allow inbound SIP URI calling into your box you need to define some URI usernames and manually add these to the FreePBX config files.




*Need help configuring your Linksys ATA or IP Phones for New Zealand? Check my blog post

16699 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Subscriber
  Reply # 441115 18-Feb-2011 12:12 Send private message

Unless you have outbound DISA set then it's unlikely they've compromised your system. They've simply SIP URI called your system and hit your inbound call routing so unless you've changed things and created any other loopholes the damage they could do would be do different to somebody calling your PSTN number and hitting the same inbound call routing.




*Need help configuring your Linksys ATA or IP Phones for New Zealand? Check my blog post



44 posts

Geek
  Reply # 441116 18-Feb-2011 12:13 Send private message

sbiddle:
grkiwi: Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...


Setting this to YES is the simplest way to get hacked. Many people set it to yes because they can't get their inbound routes matching properly with some VoIP providers.

If you want to allow inbound SIP URI calling into your box you need to define some URI usernames and manually add these to the FreePBX config files.


Unfortunately it was pure ignorance in my part. The default was YES and I haden't looked into it... till now...



44 posts

Geek
  Reply # 441117 18-Feb-2011 12:16 Send private message

sbiddle: Unless you have outbound DISA set then it's unlikely they've compromised your system. They've simply SIP URI called your system and hit your inbound call routing so unless you've changed things and created any other loopholes the damage they could do would be do different to somebody calling your PSTN number and hitting the same inbound call routing.


No DISA set here... so probably no harm done... :-) Thanks for that!

Create new topic
Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
Android and iOS combine for 92.3% of all smartphone OS shipment in the first 2013 quarter
Posted 17-May-2013 08:38

Apple’s App Store marks 50 billionth download
Posted 17-May-2013 08:25

Gen-i divests Davanti Consulting through management buyout
Posted 16-May-2013 14:02

Huawei G510 bring big-screen mobile entertainment for Android users
Posted 16-May-2013 11:49

BlackBerry BBM goes multiplatform: iOS and Android versions
Posted 15-May-2013 11:28

BlackBerry introduces BlackBerry 10 QWERTY smartphone
Posted 15-May-2013 09:32


Trending now »
Hot discussions in our forums right now:

A reason not to shop at dick smith
Created by dsnz1, last reply by AKLWestie on 17-May-2013 22:45 (82 replies)
Pages... 4 5 6

A new project coming to Geekzone
Created by freitasm, last reply by xpd on 20-May-2013 10:43 (208 replies)
Pages... 12 13 14

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by shevc on 20-May-2013 10:46 (1449 replies)
Pages... 95 96 97

Sitting on a boring conference call
Created by SaltyNZ, last reply by SepticSceptic on 17-May-2013 16:52 (14 replies)

Samsung Galaxy SIII Discussion and Owners Thread
Created by networkn, last reply by Johnk on 19-May-2013 16:32 (5523 replies)
Pages... 367 368 369

any cyclists on the forum? (question about parts suppliers...)
Created by Lykho, last reply by Lykho on 20-May-2013 10:16 (11 replies)

Track my Phone, Car, how to best do it in .nz?
Created by DonGould, last reply by DonGould on 20-May-2013 09:34 (18 replies)
Pages... 2

Chorus is cutting the cost of VDSL to service providers from June 7
Created by maxzzz, last reply by Zeon on 19-May-2013 19:40 (46 replies)
Pages... 2 3 4


Geekzone Jobs »
Most recent NZ jobs in technology:

Intermediate to Senior Software Developer
Posted 20-May-2013 10:27

Information Architect and UX Researcher
Posted 20-May-2013 10:27

Intermediate UX Designer
Posted 20-May-2013 10:27

Senior UX Designer
Posted 20-May-2013 10:27

Agile Business Analyst
Posted 20-May-2013 10:27

Cad Jewellery Designer
Posted 20-May-2013 10:27

SQL Server DBA / Report Writer
Posted 20-May-2013 09:27


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.