HACK to multiple sip accounts

Hello,

I am running asterisk 1.4

Today, we had a hacker place calls to North Korea. Luckily we caught it early and only lost $350 in calls.

We have very good passwords on all the sip accounts. Sometimes the passwords are at least 24 characters in length and are completely random.

Does anyone know of any exploit on 1.4 that may cause this. I don’t see any ssh attempts from the hackers ip address.
I replaced our ip address of the machine with OURIPADDRESS. If anyone has any thoughts, please let me know.

Looks like the hack came from the below sip software:
VaxSipUserAgent

Thanks for any help

full.1:[Mar 11 20:55:57] VERBOSE[3107] logger.c: – Registered SIP ‘9999’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:06:29] VERBOSE[3107] logger.c: – Registered SIP ‘9999’ at 80.14.47.112 port 5061
full.1:[Mar 11 21:12:12] VERBOSE[3107] logger.c: – Registered SIP ‘9999’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:14:42] VERBOSE[3107] logger.c: – Registered SIP ‘17771230021’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:15:19] VERBOSE[3107] logger.c: – Registered SIP ‘17771230021’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:15:50] VERBOSE[3107] logger.c: – Registered SIP ‘105’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:15:53] VERBOSE[3107] logger.c: – Registered SIP ‘105’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:32:32] VERBOSE[3107] logger.c: – Registered SIP ‘611’ at 80.14.47.112 port 5062
full.1:[Mar 11 21:33:07] VERBOSE[3107] logger.c: – Registered SIP ‘611’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:33:28] VERBOSE[3107] logger.c: – Registered SIP ‘9999’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:33:46] VERBOSE[3107] logger.c: – Registered SIP ‘611’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:35:30] NOTICE[3107] chan_sip.c: Registration from ‘sip:3750304068@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:35:31] NOTICE[3107] chan_sip.c: Registration from ‘sip:3750304068@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:35:34] NOTICE[3107] chan_sip.c: Registration from ‘sip:3750304068@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:35:35] NOTICE[3107] chan_sip.c: Registration from ‘sip:3750304068@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:35:59] NOTICE[3107] chan_sip.c: Registration from ‘sip:3750304068@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:35:59] NOTICE[3107] chan_sip.c: Registration from ‘sip:3750304068@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:37:22] NOTICE[3107] chan_sip.c: Registration from ‘sip:9567151600@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:37:23] NOTICE[3107] chan_sip.c: Registration from ‘sip:9567151600@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:37:51] NOTICE[3107] chan_sip.c: Registration from ‘sip:9567151600@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:37:51] NOTICE[3107] chan_sip.c: Registration from ‘sip:9567151600@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:40:01] NOTICE[3107] chan_sip.c: Registration from ‘sip:9567151600@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:40:01] NOTICE[3107] chan_sip.c: Registration from ‘sip:9567151600@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Peer is not supposed to register
full.1:[Mar 11 21:40:17] NOTICE[3107] chan_sip.c: Registration from ‘sip:080376@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Wrong password
full.1:[Mar 11 21:40:22] NOTICE[3107] chan_sip.c: Registration from ‘sip:080376@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Wrong password
full.1:[Mar 11 21:41:43] VERBOSE[3107] logger.c: – Registered SIP ‘111’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:43:34] VERBOSE[3107] logger.c: – Registered SIP ‘meraltest’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:44:26] VERBOSE[3107] logger.c: – Registered SIP ‘110’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:44:52] VERBOSE[3107] logger.c: – Registered SIP ‘17771230007’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:48:32] VERBOSE[3107] logger.c: – Registered SIP ‘611’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:49:30] NOTICE[3107] chan_sip.c: Registration from ‘sip:611@OURIPADDRESS;transport=UDP’ failed for ‘80.14.47.112’ - Wrong password
full.1:[Mar 11 21:50:09] NOTICE[3107] chan_sip.c: Registration from ‘sip:611@sip.truecallinternational.com;transport=UDP’ failed for ‘80.14.47.112’ - Wrong password
full.1:[Mar 11 21:53:47] VERBOSE[3107] logger.c: – Registered SIP ‘611’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:54:36] VERBOSE[3107] logger.c: – Registered SIP ‘8977869905’ at 80.14.47.112 port 5060
full.1:[Mar 11 21:55:45] VERBOSE[3107] logger.c: – Registered SIP ‘9999’ at 80.14.47.112 port 5061
full.1:[Mar 11 22:08:09] VERBOSE[3107] logger.c: – Registered SIP ‘9999’ at 80.14.47.112 port 5061
full.1:[Mar 11 22:08:19] VERBOSE[3107] logger.c: – Registered SIP ‘611’ at 80.14.47.112 port 5061

See viewtopic.php?f=1&t=77151

A repost of the original Blog Post by J Todd is here as finding the original isn’t too easy. You would have thought searching for say “Sip Security” might have brought it to light. So unit I or someone else located the original heres a “reprint” of it.

cyber-cottage.co.uk/site/index.p … &Itemid=63

Ian
www.cyber-cottage.co.uk

if you found solutions how you could solve this problem Thanks

Without knowing the specifics of your case, one can’t answer that. However, having allowguest set wrongly is a likely problem.

I have been reading something regarding “allowguest”. If I understood correctly, the document is trying to say by default, allowguest is set to yes. in sip.conf and it means that all the guest could place calls from Asterisk. I am wondering if I did interpret the document in a correct way…

And according to document, it seems that the allowguest = NO should be set in the sip.conf [general] section. If you would agree with this statement.

Thanks

For most people, on production systems, allowguest should be no.

It is set to yes because that causes least problems for someone just experimenting with Asterisk.

[quote=“david55”]For most people, on production systems, allowguest should be no.

It is set to yes because that causes least problems for someone just experimenting with Asterisk.[/quote]

Thanks for your message, but I still have a little bit confuse, for example, I have an Asterisk for testing purpose. If I have the following settings in “sip.conf”
[general]
context=incoming

[globals]
alwaysauthreject=yes
allowguest=yes

[1000]
type=friend
secret=password
dtmfmode=rfc2833
callerid=“First Phone” <1000>
host=dynamic ; The device must always register
canreinvite=no
permit=0.0.0.0/0.0.0.0
context=phones
nat=yes

It seems that at moment, that we only have one extension 1000 is available, and at same time the “allowguest=yes” . According to the document ,it means that anonymous callers are permitted to place calls to Asterisk. but my QUESTION is in this case, how the anonymous uses could log in my Asterisk to place calls to asterisk without knowing the details of 1000.

Use an account other than 1000.

I’m not completely sure how alwaysauthreject interacts with allowguest, but that is irrelevant, in that, if you don’t need allwoguest, don’t use it.