Hi All
Can anyone help me find out why my CDR is full of calls made from numbers such as 2222, 260 or 4444 … the list is endless. Yesterday for example the system was hardly used, so almost all of the 7000 records for yesterday is all this. Sample data below … ignore the channel colum, i’ve stared out our IP
04/06/2013 00:21 “2222” <2222> 2222 musiconhold app-blackhole **** Answer 0 0 ANSWERED 3 1370301704 s
04/06/2013 00:21 “2222” <2222> 2222 musiconhold app-blackhole **** Answer 0 0 ANSWERED 3 1370301704 s
04/06/2013 00:22 “3333” <3333> 3333 musiconhold app-blackhole **** Answer 0 0 ANSWERED 3 1370301725 s
04/06/2013 00:22 “3333” <3333> 3333 musiconhold app-blackhole **** Answer 0 0 ANSWERED 3 1370301725 s
04/06/2013 00:22 “260” <260> 260 musiconhold app-blackhole **** Answer 0 0 ANSWERED 3 1370301735 s
04/06/2013 00:22 “260” <260> 260 musiconhold app-blackhole **** Answer 0 0 ANSWERED 3 1370301735 s
Do you have your Asterisk available from the internet? If this is the case, I suggest your learn how to protect your server against attacks.
The logging suggests that you have been protected by a last line of defence that someone has programmed into the dialplan. However, you should read the readme seriously document that comes with Asterisk.
It is most likely the attacker is getting this for because you have allowguest enabled.
The extension numbers used indicate why it is important that you do not use extension numbers in sip.conf, as it is too easy to guess valid extension numbers.
If you are only getting extension numbers listed that are actually configured as SIP resource names, you have a more serious problem, as it is not an allowguest problem, but a weak SIP password one.
You should block source IP addresses that have no legitimate business with the Asterisk system as close to the internet boundary as possible.
Asterisk General is a discussion forum, not a support one. You should have used Asterisk Support.
thanks