[asterisk-users] Deleting extension makes it usable?

J jmaurer at 2ergo.com
Tue Jun 8 12:40:37 CDT 2010 

Thank you all very much for your replies. I've gone ahead and made a
few tweaks that might help, including disabling anonymous inbound SIP
calls. I also exhaustively grepped /etc/asterisk for 3799, and there
are absolutely no occurances of it. The files do not include files in
any other directories, either.

However, upon deleting the extension, I still see entries in the call
log. Initially I thought these were actual calls, but is it possible
instead these are failed calls/attempts by this person? I ask after
poking around more in MySQL and seeing entries like the ones at the
bottom of this email. This seems to be in line with what Zeeshan said
("lastapp: Congestion"), but I'd like to confirm that's really the
case. If so, it sounds like I just need to block this person's IP so
he doesn't waste my valuable logging space!

Thank you again for your help,
J

*************************** 39607. row ***************************
   calldate: 2010-06-08 13:14:26
       clid: "asterisk" <3799>
        src: 3799
        dst: s
   dcontext: from-sip-external
    channel: SIP/206.205.124.247-09d71088
 dstchannel:
    lastapp: Congestion
   lastdata: 5
   duration: 12
    billsec: 12
disposition: ANSWERED
   amaflags: 3
accountcode:
   uniqueid: 1276017266.1300
  userfield:


*************************** 39608. row ***************************
   calldate: 2010-06-08 13:14:38
       clid: "asterisk" <3799>
        src: 3799
        dst: s
   dcontext: from-sip-external
    channel: SIP/206.205.124.247-09d0da80
 dstchannel:
    lastapp: Congestion
   lastdata: 5
   duration: 12
    billsec: 12
disposition: ANSWERED
   amaflags: 3
accountcode:
   uniqueid: 1276017278.1301
  userfield:
39608 rows in set (0.08 sec)


On Tue, Jun 8, 2010 at 11:44 AM, Zeeshan Zakaria <zishanov at gmail.com> wrote:
> Hi J,
>
> When I used FreePBX, I faced these situations occasionally. It is normal to
> see these entries in your CDR when hackers are trying to misuse your system.
> There doesn't need to be a real extension for it to appear it in the CDR.
> Based on what SIP URI the hacker sends, the CDR will display some entry in
> the 'src' field. In your case it is 3799 because the hacker or his software
> knows that once it was successful from this particular extension. Eventually
> you may see 3780, 3781 all the way up.
>
> The 'dst' s is the destination context in which FreePBX is dumping these SIP
> inbound calls. You can see in the CDR, in table 'dcontext'. If in the
> General Settings of FreePBX you have setup 'Allow Anonymous SIP Calls = no',
> which is the default, then this is the [from-sip-external] context,
> otherwise it is [from-trunk] context. Don't allow anonymous SIP calls and
> keep it 'no'. The hacker is trying to register on your system and hearing
> the no service message followed by the congestion tone.
>
> Having said this all, look into Fail2Ban. That would had blocked this hacker
> already at your kernel level at least.
>
> Zeeshan A Zakaria
>
> --
> Sent from my Android phone with K-9 Mail.
>
> On 2010-06-08 9:59 AM, "J" <jmaurer at 2ergo.com> wrote:
>
> I'm fairly new to FreePBX/Asterisk/Trixbox, but have Googled myself
> into submission here, so any assistance is appreciated.
>
> We had a user with a weak SIP secret recently that allowed it to be
> used by an outside user. The extension was 3799. I could see the
> intruder's calls (including the destination phone numbers) in the
> trixbox call report log. Because the extension was no longer used, I
> went ahead and deleted it, thinking that would solve the problem. I
> also discovered approximately the same time that the Asterisk Call
> Manager port was open to the outside world, which has since been
> closed. The web interface, ssh, etc. have never been exposed to the
> outside world. Since taking these actions, I restarted the asterisk
> server.
>
> Now, here's the issue. I don't think deleting the extension helped.
> Now I see entries like this in the reports log:
>
> Calldate  Channel Source Clid Dst Disposition Duration
> 1.      2010-06-07 16:47:38     SIP/206.20...   3799    "asterisk"
> <3799>       s       ANSWERED        00:14
>
> The "Dst" field being "s", where it used to be the phone number being
> dialed. How is this extension able to be used even after it has been
> deleted?
>
> Strangely, what I've done to keep the user out in the mean time is
> re-created the 3799 extension with a better secret. This results in
> log entries like the following:
>
> [Jun  7 17:04:16] NOTICE[7422] chan_sip.c: Failed to authenticate user
> "asterisk" <sip:3799 at 206.205.124.247>;tag=as23bacb61
>
> Why can sip:3799 connect and make calls when the extension doesn't
> exist? Is this person somehow using a "user" account? I've checked
> both /etc/asterisk and the MySQL tables and am not coming up with
> much. What does it mean that their destination is "s", not a phone
> number?
>
> Thanks for any assistance!
> J
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
Justin Maurer | System Administrator
2ergo – Digital leaders in a mobile world
+1 (703) 879 3413

More information about the asterisk-users mailing list