Hey,
So I am a tad new to Asterisk and Trixbox, so I thought I would let the Pro’s have a go at rectifying my headache. After we had a brute force attempt on our local Trixbox server, I installed fail2ban to stop repeats happening. Since installing fail2ban I am receiving ghost calls from long numbers which cause the phone to ring. This is the log I got from asterisk -r for the last call.
== Using SIP VRTP CoS mark 6
– Executing [601315568315@from-sip-external:1] NoOp(“SIP/5060-00000244”, “Received incoming SIP connection from unknown peer to 601315568315”) in new stack
– Executing [601315568315@from-sip-external:2] Set(“SIP/5060-00000244”, “DID=601315568315”) in new stack
– Executing [601315568315@from-sip-external:3] Goto(“SIP/5060-00000244”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [s@from-sip-external:1] GotoIf(“SIP/5060-00000244”, “1?from-trunk,601315568315,1”) in new stack
– Goto (from-trunk,601315568315,1)
– Executing [601315568315@from-trunk:1] NoOp(“SIP/5060-00000244”, “Catch-All DID Match - Found 601315568315 - You probably want a DID for this.”) in new stack
– Executing [601315568315@from-trunk:2] Goto(“SIP/5060-00000244”, “ext-did,s,1”) in new stack
– Goto (ext-did,s,1)
– Executing [s@ext-did:1] Set(“SIP/5060-00000244”, “__FROM_DID=s”) in new stack
– Executing [s@ext-did:2] Gosub(“SIP/5060-00000244”, “app-blacklist-check,s,1”) in new stack
– Executing [s@app-blacklist-check:1] GotoIf(“SIP/5060-00000244”, “0?blacklisted”) in new stack
– Executing [s@app-blacklist-check:2] Return(“SIP/5060-00000244”, “”) in new stack
– Executing [s@ext-did:3] ExecIf(“SIP/5060-00000244”, “1 ?Set(CALLERID(name)=16013155683151)”) in new stack
– Executing [s@ext-did:4] Set(“SIP/5060-00000244”, “__CALLINGPRES_SV=allowed_not_screened”) in new stack
– Executing [s@ext-did:5] Set(“SIP/5060-00000244”, “CALLERPRES()=allowed_not_screened”) in new stack
– Executing [s@ext-did:6] Goto(“SIP/5060-00000244”, “from-did-direct,100,1”) in new stack
– Goto (from-did-direct,100,1)
– Executing [100@from-did-direct:1] Macro(“SIP/5060-00000244”, “exten-vm,100,100”) in new stack
– Executing [s@macro-exten-vm:1] Macro(“SIP/5060-00000244”, “user-callerid”) in new stack
– Executing [s@macro-user-callerid:1] Set(“SIP/5060-00000244”, “AMPUSER=16013155683151”) in new stack
– Executing [s@macro-user-callerid:2] GotoIf(“SIP/5060-00000244”, “0?report”) in new stack
– Executing [s@macro-user-callerid:3] ExecIf(“SIP/5060-00000244”, “1?Set(REALCALLERIDNUM=16013155683151)”) in new stack
– Executing [s@macro-user-callerid:4] Set(“SIP/5060-00000244”, “AMPUSER=”) in new stack
– Executing [s@macro-user-callerid:5] Set(“SIP/5060-00000244”, “AMPUSERCIDNAME=”) in new stack
– Executing [s@macro-user-callerid:6] GotoIf(“SIP/5060-00000244”, “1?report”) in new stack
– Goto (macro-user-callerid,s,10)
– Executing [s@macro-user-callerid:10] GotoIf(“SIP/5060-00000244”, “0?continue”) in new stack
– Executing [s@macro-user-callerid:11] Set(“SIP/5060-00000244”, “__TTL=64”) in new stack
– Executing [s@macro-user-callerid:12] GotoIf(“SIP/5060-00000244”, “1?continue”) in new stack
– Goto (macro-user-callerid,s,19)
– Executing [s@macro-user-callerid:19] NoOp(“SIP/5060-00000244”, “Using CallerID “16013155683151” <16013155683151>”) in new stack
– Executing [s@macro-exten-vm:2] Set(“SIP/5060-00000244”, “RingGroupMethod=none”) in new stack
– Executing [s@macro-exten-vm:3] Set(“SIP/5060-00000244”, “VMBOX=100”) in new stack
– Executing [s@macro-exten-vm:4] Set(“SIP/5060-00000244”, “EXTTOCALL=100”) in new stack
– Executing [s@macro-exten-vm:5] Set(“SIP/5060-00000244”, “CFUEXT=”) in new stack
– Executing [s@macro-exten-vm:6] Set(“SIP/5060-00000244”, “CFBEXT=”) in new stack
– Executing [s@macro-exten-vm:7] Set(“SIP/5060-00000244”, “RT=15”) in new stack
– Executing [s@macro-exten-vm:8] Macro(“SIP/5060-00000244”, “record-enable,100,IN”) in new stack
– Executing [s@macro-record-enable:1] GotoIf(“SIP/5060-00000244”, “1?check”) in new stack
– Goto (macro-record-enable,s,4)
– Executing [s@macro-record-enable:4] AGI(“SIP/5060-00000244”, “recordingcheck,20120709-115737,1341831457.580”) in new stack
– Launched AGI Script /var/lib/asterisk/agi-bin/recordingcheck
recordingcheck,20120709-115737,1341831457.580: Inbound recording not enabled
– <SIP/5060-00000244>AGI Script recordingcheck completed, returning 0
– Executing [s@macro-record-enable:5] MacroExit(“SIP/5060-00000244”, “”) in new stack
– Executing [s@macro-exten-vm:9] Macro(“SIP/5060-00000244”, “dial,15,tr,100”) in new stack
– Executing [s@macro-dial:1] GotoIf(“SIP/5060-00000244”, “1?dial”) in new stack
– Goto (macro-dial,s,3)
– Executing [s@macro-dial:3] AGI(“SIP/5060-00000244”, “dialparties.agi”) in new stack
– Launched AGI Script /var/lib/asterisk/agi-bin/dialparties.agi
dialparties.agi: Starting New Dialparties.agi
dialparties.agi: Caller ID name is ‘16013155683151’ number is '16013155683151’
dialparties.agi: Methodology of ring is ‘none’
– dialparties.agi: Added extension 100 to extension map
– dialparties.agi: Extension 100 cf is disabled
– dialparties.agi: Extension 100 do not disturb is disabled
dialparties.agi: EXTENSION_STATE: 0 (NOT_INUSE)
– dialparties.agi: dbset CALLTRACE/100 to 16013155683151
– dialparties.agi: Filtered ARG3: 100
– <SIP/5060-00000244>AGI Script dialparties.agi completed, returning 0
– Executing [s@macro-dial:7] Dial(“SIP/5060-00000244”, “SIP/100,15,tr”) in new stack
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
== Using SIP VRTP TOS bits 136
== Using SIP VRTP CoS mark 6
– Called 100
– SIP/100-00000245 is ringing
– SIP/100-00000245 answered SIP/5060-00000244
– Executing [h@macro-dial:1] Macro(“SIP/5060-00000244”, “hangupcall”) in new stack
– Executing [s@macro-hangupcall:1] GotoIf(“SIP/5060-00000244”, “1?skiprg”) in new stack
– Goto (macro-hangupcall,s,4)
– Executing [s@macro-hangupcall:4] GotoIf(“SIP/5060-00000244”, “1?skipblkvm”) in new stack
– Goto (macro-hangupcall,s,7)
– Executing [s@macro-hangupcall:7] GotoIf(“SIP/5060-00000244”, “1?theend”) in new stack
– Goto (macro-hangupcall,s,9)
– Executing [s@macro-hangupcall:9] Hangup(“SIP/5060-00000244”, “”) in new stack
Are the calls malicious? Or is Asterisk going a tad strange?
Much love,
Peter