[asterisk-users] Deleting extension makes it usable?

Zeeshan Zakaria zishanov at gmail.com
Tue Jun 8 10:44:33 CDT 2010 

Hi J,

When I used FreePBX, I faced these situations occasionally. It is normal to
see these entries in your CDR when hackers are trying to misuse your system.
There doesn't need to be a real extension for it to appear it in the CDR.
Based on what SIP URI the hacker sends, the CDR will display some entry in
the 'src' field. In your case it is 3799 because the hacker or his software
knows that once it was successful from this particular extension. Eventually
you may see 3780, 3781 all the way up.

The 'dst' s is the destination context in which FreePBX is dumping these SIP
inbound calls. You can see in the CDR, in table 'dcontext'. If in the
General Settings of FreePBX you have setup 'Allow Anonymous SIP Calls = no',
which is the default, then this is the [from-sip-external] context,
otherwise it is [from-trunk] context. Don't allow anonymous SIP calls and
keep it 'no'. The hacker is trying to register on your system and hearing
the no service message followed by the congestion tone.

Having said this all, look into Fail2Ban. That would had blocked this hacker
already at your kernel level at least.

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-06-08 9:59 AM, "J" <jmaurer at 2ergo.com> wrote:

I'm fairly new to FreePBX/Asterisk/Trixbox, but have Googled myself
into submission here, so any assistance is appreciated.

We had a user with a weak SIP secret recently that allowed it to be
used by an outside user. The extension was 3799. I could see the
intruder's calls (including the destination phone numbers) in the
trixbox call report log. Because the extension was no longer used, I
went ahead and deleted it, thinking that would solve the problem. I
also discovered approximately the same time that the Asterisk Call
Manager port was open to the outside world, which has since been
closed. The web interface, ssh, etc. have never been exposed to the
outside world. Since taking these actions, I restarted the asterisk
server.

Now, here's the issue. I don't think deleting the extension helped.
Now I see entries like this in the reports log:

Calldate  Channel Source Clid Dst Disposition Duration
1.      2010-06-07 16:47:38     SIP/206.20...   3799    "asterisk"
<3799>       s       ANSWERED        00:14

The "Dst" field being "s", where it used to be the phone number being
dialed. How is this extension able to be used even after it has been
deleted?

Strangely, what I've done to keep the user out in the mean time is
re-created the 3799 extension with a better secret. This results in
log entries like the following:

[Jun  7 17:04:16] NOTICE[7422] chan_sip.c: Failed to authenticate user
"asterisk" <sip:3799 at 206.205.124.247 <sip%3A3799 at 206.205.124.247>
>;tag=as23bacb61

Why can sip:3799 connect and make calls when the extension doesn't
exist? Is this person somehow using a "user" account? I've checked
both /etc/asterisk and the MySQL tables and am not coming up with
much. What does it mean that their destination is "s", not a phone
number?

Thanks for any assistance!
J

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100608/6edb57cd/attachment.htm

More information about the asterisk-users mailing list