[Asterisk-Users] possible attack, or just dumb log question?

[RJ]

I've got a strange situation that started yesterday -- I have a ton
of calls listed in the log for number = 18883629704

It initially looked like I was getting an incoming call on Zap/4 (LD
trunk) from 18883629704, which was going to an extension at Zap/2,
and then trying to dial out again back to the 18883629704 number
(the 'dial' application was called, with the argument
Zap/4/18883629704).

I found one reference to on Google to this number under the topic
"*New ECM technique*", describing what looks like some kind
of attack on some unknown system (the domain is down, but it
was in the google cache)..

The outgoing attempts weren't working (apparently because they
were coming in on the same trunk that's used for LD outgoing),
but it was still disconcerting...

So I tried to block receiving any calls from 18883629704 in
the dialplan by giving them the congestion application, and also
blocking outgoing calls to it the same way, as

exten => s/3202594099,1,Congestion     
exten => s/8883629704,1,Congestion
exten => s,1,Answer()
exten => s,2,NoOp(INCOMING call at ${DATETIME} from ${CALLERID}: Name: 
${CALLERIDNAME}, Number: ${CALLERIDNUM})
exten => s,3,DigitTimeout(10)          
exten => s,4,ResponseTimeout(20)       
exten => s,5,Background(splash)
...

and

exten => 18883629704,1,Hangup()

in the [outgoing] context.

But I'm still getting these things, every 45 minutes or so, in pairs
about a minute or so apart.  At least now they're not trying to dial
out, and the hangup seems to be working, but why is there all
this activity?  And why am I getting the incoming digits that it's
trying to dial?  It looks like they're not getting the congestion thing
at all?

I put the logging into verbose debug mode, and got the following,
which doesn't make a lot of sense.  Shouldn't there be a log
entry for the Zap/4 (incoming trunk) call before it gets rung to the
Zap/2 (station) extension? 

Thanks in advance for any help!

rj


2005-02-20 14:05:46 DEBUG[28229]: Monitor doohicky got event 
Ring/Answered on channel 2
2005-02-20 14:05:46 DEBUG[28229]: Device 'Zap/2' changed to state '2'
2005-02-20 14:05:46 DEBUG[28229]: Device 'Zap/2' changed to state '2'
2005-02-20 14:05:48 DEBUG[28229]: DTMF digit: 1 on Zap/2-1
2005-02-20 14:05:48 DEBUG[28229]: DTMF digit: 8 on Zap/2-1
2005-02-20 14:05:48 DEBUG[28229]: DTMF digit: 8 on Zap/2-1
2005-02-20 14:05:48 DEBUG[28229]: DTMF digit: 8 on Zap/2-1
2005-02-20 14:05:48 DEBUG[28229]: DTMF digit: 3 on Zap/2-1
2005-02-20 14:05:48 DEBUG[28229]: DTMF digit: 6 on Zap/2-1
2005-02-20 14:05:49 DEBUG[28229]: DTMF digit: 2 on Zap/2-1
2005-02-20 14:05:49 DEBUG[28229]: DTMF digit: 9 on Zap/2-1
2005-02-20 14:05:49 DEBUG[28229]: DTMF digit: 7 on Zap/2-1
2005-02-20 14:05:49 DEBUG[28229]: DTMF digit: 0 on Zap/2-1
2005-02-20 14:05:49 DEBUG[28229]: DTMF digit: 4 on Zap/2-1
2005-02-20 14:05:49 DEBUG[28229]: Enabled echo cancellation on channel 2
2005-02-20 14:05:49 DEBUG[28229]: Launching 'Hangup'
2005-02-20 14:05:49 DEBUG[28229]: Spawn extension 
(default,18883629704,1) exited non-zero on 'Zap/2-1'
2005-02-20 14:05:49 DEBUG[28229]: Hanging up channel 'Zap/2-1'
2005-02-20 14:05:49 DEBUG[28229]: zt_hangup(Zap/2-1)
2005-02-20 14:05:49 DEBUG[28229]: Hangup: channel: 2 index = 0, normal = 
16, callwait = -1, thirdcall = -1
2005-02-20 14:05:49 DEBUG[28229]: disabled echo cancellation on channel 2
2005-02-20 14:05:49 DEBUG[28229]: Set option TDD MODE, value: OFF(0) on 
Zap/2-1
2005-02-20 14:05:49 DEBUG[28229]: Updated conferencing on 2, with 0 
conference users
2005-02-20 14:05:49 DEBUG[28229]: Device 'Zap/2' changed to state '0'
2005-02-20 14:05:49 DEBUG[28229]: Device 'Zap/2' changed to state '0'
2005-02-20 14:05:50 DEBUG[28229]: Monitor doohicky got event Hook 
Transition Complete on channel 2
2005-02-20 14:05:54 DEBUG[28229]: Monitor doohicky got event On hook on 
channel 2
2005-02-20 14:05:54 DEBUG[28229]: disabled echo cancellation on channel 2
2005-02-20 14:06:06 DEBUG[28229]: Monitor doohicky got event 
Ring/Answered on channel 2
2005-02-20 14:06:06 DEBUG[28229]: Device 'Zap/2' changed to state '2'
2005-02-20 14:06:06 DEBUG[28229]: Device 'Zap/2' changed to state '2'
2005-02-20 14:06:08 DEBUG[28229]: DTMF digit: 1 on Zap/2-1
2005-02-20 14:06:08 DEBUG[28229]: DTMF digit: 8 on Zap/2-1
2005-02-20 14:06:08 DEBUG[28229]: DTMF digit: 8 on Zap/2-1
2005-02-20 14:06:08 DEBUG[28229]: DTMF digit: 8 on Zap/2-1
2005-02-20 14:06:09 DEBUG[28229]: DTMF digit: 3 on Zap/2-1
2005-02-20 14:06:09 DEBUG[28229]: DTMF digit: 6 on Zap/2-1
2005-02-20 14:06:09 DEBUG[28229]: DTMF digit: 2 on Zap/2-1
2005-02-20 14:06:09 DEBUG[28229]: DTMF digit: 9 on Zap/2-1
2005-02-20 14:06:09 DEBUG[28229]: DTMF digit: 7 on Zap/2-1
2005-02-20 14:06:10 DEBUG[28229]: DTMF digit: 0 on Zap/2-1
2005-02-20 14:06:10 DEBUG[28229]: DTMF digit: 4 on Zap/2-1
2005-02-20 14:06:10 DEBUG[28229]: Enabled echo cancellation on channel 2
2005-02-20 14:06:10 DEBUG[28229]: Launching 'Hangup'
2005-02-20 14:06:10 DEBUG[28229]: Spawn extension 
(default,18883629704,1) exited non-zero on 'Zap/2-1'
2005-02-20 14:06:10 DEBUG[28229]: Hanging up channel 'Zap/2-1'
2005-02-20 14:06:10 DEBUG[28229]: zt_hangup(Zap/2-1)
2005-02-20 14:06:10 DEBUG[28229]: Hangup: channel: 2 index = 0, normal = 
16, callwait = -1, thirdcall = -1
2005-02-20 14:06:10 DEBUG[28229]: disabled echo cancellation on channel 2
2005-02-20 14:06:10 DEBUG[28229]: Set option TDD MODE, value: OFF(0) on 
Zap/2-1
2005-02-20 14:06:10 DEBUG[28229]: Updated conferencing on 2, with 0 
conference users
2005-02-20 14:06:10 DEBUG[28229]: Device 'Zap/2' changed to state '0'
2005-02-20 14:06:10 DEBUG[28229]: Device 'Zap/2' changed to state '0'
2005-02-20 14:06:10 DEBUG[28229]: Monitor doohicky got event Hook 
Transition Complete on channel 2
2005-02-20 14:06:15 DEBUG[28229]: Monitor doohicky got event On hook on 
channel 2
2005-02-20 14:06:15 DEBUG[28229]: disabled echo cancellation on channel 2

>  
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20050220/0c655a9b/attachment.htm