[asterisk-users] Am I cracked?

Michelle Dupuis mdupuis at ocg.ca
Mon Jun 8 15:55:43 CDT 2015 

I'm guessing this is a small/home system?  I suggest you install SecAst from this site: www.telium.ca   It's free for small office / home office and will deal with these types of attacks and more.  It can also block users based on their Geographic location (based on the phone number it attempted to dial I suspect this is middle east), look for suspicious dialing patterns, etc.

If you still have allow guest enabled, then you should also follow the 'securing asterisk' steps from this site: http://www.voip-info.org/wiki/view/Asterisk+security

You're definitely under attack (based on the 0123456 ID) so be sure to take preventative steps to avoid a $50k phone bill..

________________________________________
From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at lists.digium.com> on behalf of Luca Bertoncello <lucabert at lucabert.de>
Sent: Monday, June 8, 2015 3:46 PM
To: Asterisk Users List
Subject: [asterisk-users] Am I cracked?

Hi list!

Very strange...
I ran the Asterisk CLI for other tasks, and suddenly I got this message:

  == Using SIP RTP CoS mark 5
    -- Executing [000972592603325 at default:1] Verbose("SIP/192.168.20.120-0000002a", "2,PROXY Call from 0123456 to 000972592603325") in new stack
  == PROXY Call from 0123456 to 000972592603325
    -- Executing [000972592603325 at default:2] Set("SIP/192.168.20.120-0000002a", "CHANNEL(musicclass)=default") in new stack
    -- Executing [000972592603325 at default:3] GotoIf("SIP/192.168.20.120-0000002a", "0?dialluca") in new stack
    -- Executing [000972592603325 at default:4] GotoIf("SIP/192.168.20.120-0000002a", "0?dialfax") in new stack
    -- Executing [000972592603325 at default:5] GotoIf("SIP/192.168.20.120-0000002a", "0?dialanika") in new stack
    -- Executing [000972592603325 at default:6] Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in new stack
[Jun  8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent)
  == Everyone is busy/congested at this time (1:0/0/1)
    -- Executing [000972592603325 at default:7] Hangup("SIP/192.168.20.120-0000002a", "") in new stack
  == Spawn extension (default, 000972592603325, 7) exited non-zero on 'SIP/192.168.20.120-0000002a'
[Jun  8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: Retransmission timeout reached on transmission 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response

At the time no phone try to call...
On my Firewall I see a SIP packet coming from an IP in Palestine...
Am I cracked? I think I disabled all "guest" access. How can I check if my
Asterisk allows guest to originate calls?

Thanks
Luca Bertoncello
(lucabert at lucabert.de)

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list