Y, did you have the extension logic to call to PSTN in [default] ???<br>If yes, then your system was not hacked... <br><br>you need to read some documentation and find out the [default] context is supposed<br>to be non-secure... if you allow routes to PSTN in [default] then you're inviting others to call out<br>
<br>Martin<br><br><div class="gmail_quote">On Wed, Mar 25, 2009 at 9:40 AM, David Anthony O Reilly <span dir="ltr"><<a href="mailto:oreillda@tcd.ie">oreillda@tcd.ie</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi all<div><br></div><div>I have been hacked but no idea how!!! I noticed somebody in Eastern Europe came from an American IP and tried to call loads of international numbers. Thankfully I had no credit with my VOIP out provider so the calls went nowhere. But if I had credit it would all have been used up.</div>
<div><br></div><div>I noticed hundreds of calls being made from <span style="border-collapse: collapse; white-space: pre;">clid and src being either UNKNOWN or as ASTERISK.</span></div>
<div><span style="border-collapse: collapse; white-space: pre;"><br></span></div><div><span style="border-collapse: collapse; white-space: pre;">Here are a sample:</span></div>
<div><br></div><div><div>2009-03-24 16:47:14<span style="white-space: pre;"> </span>"asterisk" <asterisk><span style="white-space: pre;"> </span>asterisk<span style="white-space: pre;"> </span>0037322483581<span style="white-space: pre;"> </span>default<span style="white-space: pre;"> </span>SIP/66.199.242.101-09da9128<span style="white-space: pre;"> </span>IAX2/out-1497<span style="white-space: pre;"> </span>Dial<span style="white-space: pre;"> </span>iax2/out/0037322483581<span style="white-space: pre;"> </span>8<span style="white-space: pre;"> </span>6<span style="white-space: pre;"> </span>ANSWERED<span style="white-space: pre;"> </span>3<span style="white-space: pre;"> </span>1237913234.1077</div>
<div><span style="white-space: pre;"> </span></div><div>2009-03-24 16:47:15<span style="white-space: pre;"> </span>"Unknown" <Unknown><span style="white-space: pre;"> </span>Unknown<span style="white-space: pre;"> </span>00380449536745<span style="white-space: pre;"> </span>default<span style="white-space: pre;"> </span>SIP/66.199.242.101-09da5230<span style="white-space: pre;"> </span>IAX2/out-516<span style="white-space: pre;"> </span>Dial iax2/out/00380449536745<span style="white-space: pre;"> </span>8<span style="white-space: pre;"> </span>7<span style="white-space: pre;"> </span>ANSWERED<span style="white-space: pre;"> </span>3<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>1237913235.1081</div>
<div><br></div><div>I've reported it to the authorities and they are doing a backtrace to find the hacker, and in the meantime I have set my firewall that ONLY SIP requests from my own IP address can connect so my home phones can connect.</div>
<div><br></div><div>My config is ALL NORMAL - I am careful about putting it up here in case somebody else tries a fast one on me, but what I can tell you is that my passwords are all SHA1 substrings and there is no way in hell somebody could guess them. My box was not compromised either, as I went through my message logs, my ISP also has a server firewall rule set up so that one false password and the details are logged and I'm notified as somebody also tried a dictionary attack on me.</div>
<div><br></div><div>So now my system is all ruled up and I can only use it from here, if I am out and about I can't use it.</div><div><br></div><div>Anybody have any ideas about what I can do to try and find this security hole??? I am sure it's a bug as surely nobody should have been able to log into asterisk WITHOUT a password (from what i can see!!) and make calls out leaving the source and id as UNKNOWN or ASTERISK.</div>
<div><br></div><div>Thanks in advance</div><div>David</div></div>
<br>_______________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br>