[asterisk-users] Deleting extension makes it usable?

Ishfaq Malik ish at pack-net.co.uk
Tue Jun 8 09:53:48 CDT 2010 

On 08/06/10 14:50, J wrote:
> I'm fairly new to FreePBX/Asterisk/Trixbox, but have Googled myself
> into submission here, so any assistance is appreciated.
>
> We had a user with a weak SIP secret recently that allowed it to be
> used by an outside user. The extension was 3799. I could see the
> intruder's calls (including the destination phone numbers) in the
> trixbox call report log. Because the extension was no longer used, I
> went ahead and deleted it, thinking that would solve the problem. I
> also discovered approximately the same time that the Asterisk Call
> Manager port was open to the outside world, which has since been
> closed. The web interface, ssh, etc. have never been exposed to the
> outside world. Since taking these actions, I restarted the asterisk
> server.
>
> Now, here's the issue. I don't think deleting the extension helped.
> Now I see entries like this in the reports log:
>
> Calldate  Channel Source Clid Dst Disposition Duration
> 1.      2010-06-07 16:47:38     SIP/206.20...   3799    "asterisk"
> <3799>        s       ANSWERED        00:14
>
> The "Dst" field being "s", where it used to be the phone number being
> dialed. How is this extension able to be used even after it has been
> deleted?
>
> Strangely, what I've done to keep the user out in the mean time is
> re-created the 3799 extension with a better secret. This results in
> log entries like the following:
>
> [Jun  7 17:04:16] NOTICE[7422] chan_sip.c: Failed to authenticate user
> "asterisk"<sip:3799 at 206.205.124.247>;tag=as23bacb61
>
> Why can sip:3799 connect and make calls when the extension doesn't
> exist? Is this person somehow using a "user" account? I've checked
> both /etc/asterisk and the MySQL tables and am not coming up with
> much. What does it mean that their destination is "s", not a phone
> number?
>
> Thanks for any assistance!
> J
>
>    

Hi

Were you using RealTime and/or allowing realtime caching? If so it is 
possible that the user/peer is still in the realtime cache even though 
the sip extension has been deleted from the DB

Open the console and execute the following

sip prune realtime 3799

If you get a response of pruned then that was the problem, if you get a 
response of not found then it's back to the drawing board

Ish
-- 
Ishfaq Malik
Software Developer
PackNet Ltd

Office:   0161 660 3062
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100608/beb23971/attachment.htm

More information about the asterisk-users mailing list