Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOne New Zealand (including Vodafone, WxC, Farmside)[WXC/VFX] Asterisk security breach
grkiwi

68 posts

Master Geek


#77596 18-Feb-2011 10:07
Send private message

Hi all,

I had a strange call this morning with no voice at the other end, and went into the logs and had a look. It turns out there are 2 IP's that have in some way gotten into the system, although I am running fail2ban with iptables!
Since I am not an Asterisk guru, can anyone please explain if the logs below are of suspicious activity, and if yes what can I do to lock them out??

Here is the Asterisk log with their attemps....

[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:1] NoOp("SIP/63.247.141.210-08d257e0", "Received in
coming SIP connection from unknown peer to 00011442073479999") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:2] Set("SIP/63.247.141.210-08d257e0", "DID=00011442
073479999") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:3] Goto("SIP/63.247.141.210-08d257e0", "s|1") in ne
w stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (from-sip-external,s,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/63.247.141.210-08d257e0", "1?from-trunk|000114420734
79999|1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (from-trunk,00011442073479999,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-trunk:1] NoOp("SIP/63.247.141.210-08d257e0", "Catch-All DID Matc
h - Found 00011442073479999 - You probably want a DID for this.") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-trunk:2] Goto("SIP/63.247.141.210-08d257e0", "ext-did|s|1") in n
ew stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (ext-did,s,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:1] Set("SIP/63.247.141.210-08d257e0", "__FROM_DID=s") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/63.247.141.210-08d257e0", "app-blacklist-check|s|1") in new sta
ck
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/63.247.141.210-08d257e0", "") in new stac
k
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/63.247.141.210-08d257e0", "0?blacklisted") in new
stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/63.247.141.210-08d257e0", "") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/63.247.141.210-08d257e0", "0 |Set|CALLERID(name)=asterisk") in
 new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:4] SetMusicOnHold("SIP/63.247.141.210-08d257e0", "acc_1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:5] Set("SIP/63.247.141.210-08d257e0", "__MOHCLASS=acc_1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:6] Set("SIP/63.247.141.210-08d257e0", "FAX_RX=110") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:7] Set("SIP/63.247.141.210-08d257e0", "FAX_RX_EMAIL=9619625@gmail.com") in ne
w stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:8] Answer("SIP/63.247.141.210-08d257e0", "") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:9] PlayTones("SIP/63.247.141.210-08d257e0", "ring") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:10] NVFaxDetect("SIP/63.247.141.210-08d257e0", "0|t") in new stack
[2011-02-18 07:16:26] DEBUG[25340] app_nv_faxdetect.c: Preparing detect of fax (waitdur=4ms, sildur=1000ms, mindur=100ms, maxdur=-1ms)
[2011-02-18 07:16:27] DEBUG[25340] app_nv_faxdetect.c: Got hangup
[2011-02-18 07:16:27] VERBOSE[25340] logger.c:   == Spawn extension (ext-did, s, 10) exited non-zero on 'SIP/63.247.141.210-08d257e0'


and


[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:1] NoOp("SIP/194.28.112.33-08d23150", "Received inc
oming SIP connection from unknown peer to 00011442073479999") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:2] Set("SIP/194.28.112.33-08d23150", "DID=000114420
73479999") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:3] Goto("SIP/194.28.112.33-08d23150", "s|1") in new
 stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (from-sip-external,s,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/194.28.112.33-08d23150", "1?from-trunk|0001144207347
9999|1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (from-trunk,00011442073479999,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-trunk:1] NoOp("SIP/194.28.112.33-08d23150", "Catch-All DID Match
 - Found 00011442073479999 - You probably want a DID for this.") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-trunk:2] Goto("SIP/194.28.112.33-08d23150", "ext-did|s|1") in ne
w stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (ext-did,s,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:1] Set("SIP/194.28.112.33-08d23150", "__FROM_DID=s") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/194.28.112.33-08d23150", "app-blacklist-check|s|1") in new stac
k
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/194.28.112.33-08d23150", "0?blacklisted") in new s
tack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/194.28.112.33-08d23150", "0 |Set|CALLERID(name)=asterisk") in
new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:4] SetMusicOnHold("SIP/194.28.112.33-08d23150", "acc_1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:5] Set("SIP/194.28.112.33-08d23150", "__MOHCLASS=acc_1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:6] Set("SIP/194.28.112.33-08d23150", "FAX_RX=110") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:7] Set("SIP/194.28.112.33-08d23150", "FAX_RX_EMAIL=9619625@gmail.com") in new
 stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:8] Answer("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:9] PlayTones("SIP/194.28.112.33-08d23150", "ring") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:10] NVFaxDetect("SIP/194.28.112.33-08d23150", "0|t") in new stack
[2011-02-18 07:22:13] DEBUG[25365] app_nv_faxdetect.c: Preparing detect of fax (waitdur=4ms, sildur=1000ms, mindur=100ms, maxdur=-1ms)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:11] Set("SIP/194.28.112.33-08d23150", "__CALLINGPRES_SV=allowed_not_screened"
) in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:12] SetCallerPres("SIP/194.28.112.33-08d23150", "allowed_not_screened") in ne
w stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:13] Goto("SIP/194.28.112.33-08d23150", "timeconditions|2|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (timeconditions,2,1)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [2@timeconditions:1] GotoIfTime("SIP/194.28.112.33-08d23150", "08:00-17:00|mon-fri|1-31|
jan-dec?ext-group|600|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [2@timeconditions:2] Goto("SIP/194.28.112.33-08d23150", "ext-group|601|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (ext-group,601,1)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [601@ext-group:1] Macro("SIP/194.28.112.33-08d23150", "user-callerid|") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:1] Set("SIP/194.28.112.33-08d23150", "AMPUSER=asterisk") in new s
tack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:2] GotoIf("SIP/194.28.112.33-08d23150", "0?report") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: GotoIf
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:3] ExecIf("SIP/194.28.112.33-08d23150", "1|Set|REALCALLERIDNUM=asterisk") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: ExecIf
[2011-02-18 07:22:18] DEBUG[25365] func_db.c: DB: DEVICE/asterisk/user not found in database.
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:4] Set("SIP/194.28.112.33-08d23150", "AMPUSER=") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] DEBUG[25365] func_db.c: DB: AMPUSER//cidname not found in database.
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:5] Set("SIP/194.28.112.33-08d23150", "AMPUSERCIDNAME=") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:6] GotoIf("SIP/194.28.112.33-08d23150", "1?report") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (macro-user-callerid,s,10)
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: GotoIf
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:10] GotoIf("SIP/194.28.112.33-08d23150", "0?continue") in new stack


Does anyone know what the intruder is trying to do?


Thnks all for the help!

Create new topic
Oblivian
6941 posts

Uber Geek

ID Verified

  #441065 18-Feb-2011 11:02
Send private message

You know all those threads/news about random cold calls from computer fixing companies...

A lot of them work by hacking PABX/SIP trunks and dialling out local calls to connect them to india etc ;)

not saying this is whats happening here (im no Voip/SIP expert), but its quite likely an attempt at such?

 
 
 
 

Lenovo computer and accessories deals (affiliate link).
grkiwi

68 posts

Master Geek


  #441069 18-Feb-2011 11:06
Send private message

Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...

Oblivian
6941 posts

Uber Geek

ID Verified

  #441074 18-Feb-2011 11:11
Send private message

Oh my.

Google the incomming number minus a 0. Quite a few hits

http://www.networksystemssolutions.eu/voipblocklist.php



grkiwi

68 posts

Master Geek


  #441084 18-Feb-2011 11:17
Send private message

Looks like 194.28.112.33 is an IP that actually does SIP hacking... S$!t!!!
I will keep an eye on it and see what is happening...

dolsen
1443 posts

Uber Geek

Trusted
Lifetime subscriber

  #441099 18-Feb-2011 11:37
Send private message

Have a look at your call records on viewbill to see what they have done.

grkiwi

68 posts

Master Geek


  #441103 18-Feb-2011 11:47
Send private message

Unfortunately I haven't got acess to viewbill.
I don't see any calls made on my Asterisk logs though...

freitasm
BDFL - Memuneh
76318 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #441111 18-Feb-2011 12:01
Send private message

Also, mind you, if any outcalls were made you are responsible for them, in terms of costs (http://www.geekzone.co.nz/forums.asp?forumid=95&topicid=57078)




Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 



grkiwi

68 posts

Master Geek


  #441112 18-Feb-2011 12:02
Send private message

I am aware of that... That's why I am looking into it!!! :-)

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #441114 18-Feb-2011 12:10
Send private message

grkiwi: Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...


Setting this to YES is the simplest way to get hacked. Many people set it to yes because they can't get their inbound routes matching properly with some VoIP providers.

If you want to allow inbound SIP URI calling into your box you need to define some URI usernames and manually add these to the FreePBX config files.

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #441115 18-Feb-2011 12:12
Send private message

Unless you have outbound DISA set then it's unlikely they've compromised your system. They've simply SIP URI called your system and hit your inbound call routing so unless you've changed things and created any other loopholes the damage they could do would be do different to somebody calling your PSTN number and hitting the same inbound call routing.

grkiwi

68 posts

Master Geek


  #441116 18-Feb-2011 12:13
Send private message

sbiddle:
grkiwi: Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...


Setting this to YES is the simplest way to get hacked. Many people set it to yes because they can't get their inbound routes matching properly with some VoIP providers.

If you want to allow inbound SIP URI calling into your box you need to define some URI usernames and manually add these to the FreePBX config files.


Unfortunately it was pure ignorance in my part. The default was YES and I haden't looked into it... till now...

grkiwi

68 posts

Master Geek


  #441117 18-Feb-2011 12:16
Send private message

sbiddle: Unless you have outbound DISA set then it's unlikely they've compromised your system. They've simply SIP URI called your system and hit your inbound call routing so unless you've changed things and created any other loopholes the damage they could do would be do different to somebody calling your PSTN number and hitting the same inbound call routing.


No DISA set here... so probably no harm done... :-) Thanks for that!

Create new topic





News and reviews »

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18

Amazon Introduces All-New Echo Pop in New Zealand
Posted 23-Oct-2023 19:49

HyperX Unveils Their First Webcam and Audio Mixer Plus
Posted 20-Oct-2023 11:47

Seagate Introduces Exos 24TB Hard Drives for Hyperscalers and Enterprise Data Centres
Posted 20-Oct-2023 11:43

Dyson Zone Noise-Cancelling Headphones Comes to New Zealand
Posted 20-Oct-2023 11:33

The OPPO Find N3 Launches Globally Available in New Zealand Mid-November
Posted 20-Oct-2023 11:06








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Norton for Gamers






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.