I hope I'm correct, I don't have time to verify every bit of this,<br>but....<br><br>The message <br><br>[Jun 7 17:04:16] NOTICE[7422] chan_sip.c: Failed to authenticate user<br>
"asterisk" <<a href="mailto:sip%3A3799@206.205.124.247">sip:3799@206.205.124.247</a>>;tag=as23bacb61<br>
<br>indicates the user "asterisk". Do you have a sip account for "asterisk"?<br><br>Why it would take 14 seconds and an ANSWERED dial for an unathenticated<br>use is something to investigate!<br><br>As to the more general question of how 3799 could be unexpectedly matched<br>
in the dialplan, I would respond that there are several possibilities...<br><br>One is, Is the account with the weak<br>pword removed from sip.conf? The 3799 account? Because, it looks like <br>SIP/206.20... (you abbreviated here in the CDR you listed) is where<br>
the call is originating.<br><br>b. Did you *really* get rid of all 3799 occurrences in the dialplan? What patterns<br>do you have in the dialplan that might match 3799, after the explicit 3799 is removed?<br>Any _XXXX type patterns included or in the context in question?<br>
<br>c. I uncovered a pattern matching bug, and reported it in bug <a href="https://issues.asterisk.org/view.php?id=17366">https://issues.asterisk.org/view.php?id=17366</a><br>where unexpected patterns are matched. Sorry, I haven't had time to correct it myself, it's probably<br>
a simple 1-line fix, but oh, what it might take to figure out what the line should say, and where it is!<br><br>d. "s" is the "start" extension, and an incoming call will tend to get routed into an "s" extension.<br>
<br>You can quickly determine (b) or (c), by going to the CLI, and saying <br>"dialplan show 3799@whatever-context and see what turns up.<br><br>murf<br><br><br><br><br><br><div class="gmail_quote">On Tue, Jun 8, 2010 at 7:50 AM, J <span dir="ltr"><<a href="mailto:jmaurer@2ergo.com">jmaurer@2ergo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">I'm fairly new to FreePBX/Asterisk/Trixbox, but have Googled myself<br>
into submission here, so any assistance is appreciated.<br>
<br>
We had a user with a weak SIP secret recently that allowed it to be<br>
used by an outside user. The extension was 3799. I could see the<br>
intruder's calls (including the destination phone numbers) in the<br>
trixbox call report log. Because the extension was no longer used, I<br>
went ahead and deleted it, thinking that would solve the problem. I<br>
also discovered approximately the same time that the Asterisk Call<br>
Manager port was open to the outside world, which has since been<br>
closed. The web interface, ssh, etc. have never been exposed to the<br>
outside world. Since taking these actions, I restarted the asterisk<br>
server.<br>
<br>
Now, here's the issue. I don't think deleting the extension helped.<br>
Now I see entries like this in the reports log:<br>
<br>
Calldate Channel Source Clid Dst Disposition Duration<br>
1. 2010-06-07 16:47:38 SIP/206.20... 3799 "asterisk"<br>
<3799> s ANSWERED 00:14<br>
<br>
The "Dst" field being "s", where it used to be the phone number being<br>
dialed. How is this extension able to be used even after it has been<br>
deleted?<br>
<br>
Strangely, what I've done to keep the user out in the mean time is<br>
re-created the 3799 extension with a better secret. This results in<br>
log entries like the following:<br>
<br>
[Jun 7 17:04:16] NOTICE[7422] chan_sip.c: Failed to authenticate user<br>
"asterisk" <<a href="mailto:sip%3A3799@206.205.124.247">sip:3799@206.205.124.247</a>>;tag=as23bacb61<br>
<br>
Why can sip:3799 connect and make calls when the extension doesn't<br>
exist? Is this person somehow using a "user" account? I've checked<br>
both /etc/asterisk and the MySQL tables and am not coming up with<br>
much. What does it mean that their destination is "s", not a phone<br>
number?<br>
<br>
Thanks for any assistance!<br>
J<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Steve Murphy<br>ParseTree Corp<br><br>