Asterisk has been hacked

Asterisk Asterisk Support
1

We managed to catch and block several hack attempts, but now we are having calls going out when all of the agents are on break or gone for the day. Is there any way we can block a hacked SIP, without an IP address? Here are some of the logs that we’ve found:

– Executing [916182826642@default:1] AGI(“SIP/5060-00012a4c”, “agi://127.0.0.1:4577/call_log”) in new stack
– AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
– Executing [916182826642@default:2] Dial(“SIP/5060-00012a4c”, “SIP/16182826642@mycarrier||To”) in new stack
– Called 16182826642@mycarrier
– SIP/airspring4-00012a39 is making progress passing it to SIP/5060-00012a38
– SIP/airspring4-00012a0f answered SIP/5060-00012a0e
– Executing [919284755999@default:1] AGI(“SIP/5060-00012a4e”, “agi://127.0.0.1:4577/call_log”) in new stack
– AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
– Executing [919284755999@default:2] Dial(“SIP/5060-00012a4e”, “SIP/19284755999@mycarrier||To”) in new stack
– Called 19284755999@mycarrier
– SIP/airspring4-00012a1d is making progress passing it to SIP/5060-00012a1c
– Executing [915804262705@default:1] AGI(“SIP/5060-00012a50”, “agi://127.0.0.1:4577/call_log”) in new stack
– AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
– Executing [915804262705@default:2] Dial(“SIP/5060-00012a50”, “SIP/15804262705@mycarrier||To”) in new stack
– Called 15804262705@my carrier

2

Local devices should not have guessable names and passwords.

Incoming trunks should land on contexts that cannot make toll calls.

The security log should give you the relevant IP addresses.

3

If you must have 5060/UDP open then it should be locked down to only the IP addresses needed to access it (either by hardware firewall rules or using iptables on the PBX system).

4

Hi

You may want to check your configuration of the manager.conf and any firewall rules toy have setup. What we have noted over the last month or so is probing of the manager port. this seems to be coming from vicidial systems based in Florida.
Have a look through your logs and see if any failed manage logins are shown, also make sure your manager.conf and firewall are secure