Fraud attempt

Asterisk Asterisk Support
1

Hi,
I think I’m victim of a fraud attempt on my server… Every 30 minutes I see a strange attempt of calling. Here the log:

[2013-08-19 09:29:57] VERBOSE[7192] sig_pri.c: -- Accepting call from '171' to '8000448455917522' on channel 0/2, span 2 [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [8000448455917522@from-pstn:1] Set("DAHDI/i2/171-1860", "__FROM_DID=8000448455917522") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [8000448455917522@from-pstn:2] NoOp("DAHDI/i2/171-1860", "Received an unknown call with DID set to 8000448455917522") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [8000448455917522@from-pstn:3] Goto("DAHDI/i2/171-1860", "s,a2") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [s@from-pstn:2] Answer("DAHDI/i2/171-1860", "") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [s@from-pstn:3] Wait("DAHDI/i2/171-1860", "2") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: == Spawn extension (from-pstn, s, 3) exited non-zero on 'DAHDI/i2/171-1860' [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [h@from-pstn:1] Macro("DAHDI/i2/171-1860", "hangupcall,") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [s@macro-hangupcall:1] GotoIf("DAHDI/i2/171-1860", "1?skiprg") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [s@macro-hangupcall:4] GotoIf("DAHDI/i2/171-1860", "1?skipblkvm") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [s@macro-hangupcall:7] GotoIf("DAHDI/i2/171-1860", "1?theend") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [s@macro-hangupcall:9] Set("DAHDI/i2/171-1860", "CDR(userfield)= Hangupcause:16 ") in new stack [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: -- Executing [s@macro-hangupcall:10] Hangup("DAHDI/i2/171-1860", "") in new stack [2013-08-19 09:29:57] VERBOSE[32628] app_macro.c: == Spawn extension (macro-hangupcall, s, 10) exited non-zero on 'DAHDI/i2/171-1860' in macro 'hangupcall' [2013-08-19 09:29:57] VERBOSE[32628] pbx.c: == Spawn extension (from-pstn, h, 1) exited non-zero on 'DAHDI/i2/171-1860' [2013-08-19 09:29:57] VERBOSE[32628] chan_dahdi.c: -- Hungup 'DAHDI/i2/171-1860'

I don’t have any did like “8000448455917522” and neither the extension used exists. The strange thing is that the interface used is DAHDI (not sip!) so I don’t know how to block these attempts. Another thing is that on every attempt the extension used (here is “171”) increases and become !72, 173…

Could you help me please?

Thank you so much

Zuzu

2

I think you need to have a talk with your telephony provider :wink:

3

Talk to your supplier and also check your log files.

4

Hi all,

Beside check with telephone provider, does anyone know any solution to protect in the asterisk system?
Currently, I had many attempted on my system too. Could anyone provide any tool or software to protection it?

Thanks.

5

This case is unusual, in that the attack is over ISDN. For the normal SIP type attacks see my reply to viewtopic.php?f=13&t=90667

If the attack is really over ISDN, you need to talk to the service provider. However, the normal expedient of ensuring that the context used cannot make any chargeable calls will limit the damage to just denial of service.

6

By using IPTables rules you can block malicious VoIP scanners from reaching your Asterisk server. For details, please refer to my IPTables security HOW-TO for Asterisk servers, as linked here:

viewtopic.php?f=1&t=89191#p196238

7

The thread is not about attacks over IP.