[asterisk-users] Am I being hacked?

[Ira]

Hello Steve,

Sunday, August 18, 2013, 3:35:54 PM, you wrote:

> On Sun, 18 Aug 2013, Ira wrote:

>> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c: 
>>        Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx>;tag=2762c06e
>> 
>> I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own 
>> IP.  How do I figure out where this attempt is coming from so I can 
>> block it.

> Any chance '390' is a legitimate (but mis-configured or obsolete) device
> on your network?

> Is xx.xx.xxx.xxx a private or public address?

> Can you 'wireshark' some packets and see if the OUI matches one of your
> endpoints?

390 is not, nor has it ever been an extension on my box. I've gotten the same message for numerous extensions, sometimes 100-200 inclusive, usually multiple times as if they are trying multiple passwords.  I'm sure that no one will ever guess an extension or password on my box that way so I'm not worried, I've blocked most of the IPs that my box doesn't use and it's been a long time since I've seen any outside attempts to register. But in the recent past I've been seeing these where I've no clue what IP to block as the entries, sip:390 at xx.xx.xxx.xxx, always contains an invalid extension and my cable modem's IP address.

xx.xx.xxx.xxx is my public I.P.

I searched Google and found no mention of my specific error.

-- Ira 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130819/66c0ce2a/attachment.htm>