I am not really sure, but apparently they guessed a SIP username/password. But what I don't understand is they even though I deleted that extension all together, still 'sip show peers' showed that extension. Then I figured out an easy to guess manager user and password, which I also deleted. I think it all started from the manager user/password and they created an extension on the server which 'sip show peers' would show as offline but would be making calls successfully.<br>
<br>The IPs I had to block so far are:<br><br>213.136.96.104<br>88.151.100.167<br>85.17.141.101<br>212.34.138.12<br><br><div class="gmail_quote">On Tue, Mar 24, 2009 at 5:55 AM, Gordon Henderson <span dir="ltr"><<a href="mailto:gordon%2Basterisk@drogon.net">gordon+asterisk@drogon.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">On Mon, 23 Mar 2009, Zeeshan Zakaria wrote:<br>
<br>
> Hi,<br>
><br>
> In last one week I have seen two servers of our organization successfully<br>
> hacked and some other under attack from some other IP addresses. We would<br>
> block one IP address on our firewall and after a few hours, they would start<br>
> getting hits from some another IP address. When I checked them on <a href="http://whois.net" target="_blank">whois.net</a>,<br>
> they all were from Amsterdam. Surprisingly, I once had similar attack in the<br>
> past and it was also from an Amsterdam IP address. And they all blong to one<br>
> same organization.<br>
><br>
> Seems like somebody in Amsterdam is really active in trying to hack asterisk<br>
> servers around the world.<br>
<br>
</div>Are you willing to share details of the hack? Eg. Did they gain root<br>
access to the server? Did they exploit a bug in the web server to run<br>
code? Did they guess SIP username/password combinarions? Or something<br>
else?<br>
<font color="#888888"><br>
Gordon<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Zeeshan A Zakaria<br>