Hacked?

system · March 1, 2010, 9:37am

Hello

I think someone hacked my old asterisk I supose Someone make unauthorized call to diffrent countries. I’d like know how he connect and what i should reconfigure in my asterisk. HAcker’s ip address is 113.105.152.x ? It’s not assigned by Ripe/Iana…

my logs:

[Feb 21 06:25:08] VERBOSE[2961] [Feb 21 06:25:08] VERBOSE[2961] logger.c: [Feb 21 18:06:14] VERBOSE[3368] logger.c: 44680”) in new stack
[Feb 21 18:06:14] VERBOSE[3368] logger.c: [Feb 21 18:06:14] VERBOSE[2227] logger.c: [Feb 21 18:06:14] VERBOSE[3368] logger.c: 020-083bc758)
[Feb 21 18:06:14] NOTICE[3368] cdr.c: [Feb 21 18:06:14] VERBOSE[3369] logger.c: 680||W”) in new stack
[Feb 21 18:06:14] VERBOSE[3369] logger.c: [Feb 21 18:06:21] VERBOSE[3369] logger.c: [Feb 21 18:06:21] VERBOSE[3368] logger.c: [Feb 21 18:06:21] VERBOSE[3369] logger.c: [Feb 21 18:06:21] VERBOSE[3368] logger.c: [Feb 21 18:06:21] VERBOSE[3368] logger.c: [Feb 21 18:06:21] VERBOSE[3368] logger.c: [Feb 21 18:06:21] VERBOSE[3369] logger.c: [Feb 21 18:06:59] VERBOSE[3368] logger.c: [Feb 21 18:10:19] VERBOSE[3378] logger.c: in new stack
[Feb 21 18:10:19] VERBOSE[3378] logger.c: [Feb 21 18:10:20] VERBOSE[3378] logger.c: [Feb 21 18:10:20] VERBOSE[3378] logger.c: [Feb 21 18:10:50] VERBOSE[3378] logger.c: [Feb 21 18:45:33] VERBOSE[3390] logger.c: 80||W”) in new stack
[Feb 21 18:45:33] VERBOSE[3390] logger.c: [Feb 21 18:45:34] VERBOSE[3390] logger.c: [Feb 21 18:45:34] VERBOSE[3390] logger.c: [Feb 21 18:46:04] VERBOSE[3390] logger.c: [Feb 21 21:20:32] VERBOSE[3440] logger.c: ||W”) in new stack logger.c: Asterisk Queue Logger restarted
– Remote UNIX connection disconnected
– Executing [900442033844680@default:1] Dial(“SIP/113.105.152.104-0845ba08”, “SIP/integral_122984020/004420338
– Called integral_122984020/00442033844680
– Got SIP response 482 “Loop Detected” back from 87.204.129.4
– Now forwarding SIP/113.105.152.104-0845ba08 to ‘Local/00442033844680@default’ (thanks to SIP/integral_122984
CDR on channel ‘SIP/integral_122984020-083bc758’ not posted
– Executing [00442033844680@default:1] Dial(“Local/00442033844680@default-59a6,2”, “SIP/audiocodes/00442033844
– Called audiocodes/00442033844680
– SIP/audiocodes-0824ed08 is ringing
– Local/00442033844680@default-59a6,1 is ringing
– SIP/audiocodes-0824ed08 answered Local/00442033844680@default-59a6,2
– Local/00442033844680@default-59a6,1 stopped sounds
– Local/00442033844680@default-59a6,1 answered SIP/113.105.152.104-0845ba08
– Packet2Packet bridging SIP/113.105.152.104-0845ba08 and SIP/audiocodes-0824ed08
== Spawn extension (default, 00442033844680, 1) exited non-zero on ‘Local/00442033844680@default-59a6,2’
== Spawn extension (default, 900442033844680, 1) exited non-zero on ‘SIP/113.105.152.104-0845ba08’
– Executing [0442033844680@default:1] Dial(“SIP/113.105.152.102-081faf88”, “SIP/audiocodes/0442033844680||W”)
– Called audiocodes/0442033844680
– SIP/audiocodes-0880dc50 answered SIP/113.105.152.102-081faf88
– Packet2Packet bridging SIP/113.105.152.102-081faf88 and SIP/audiocodes-0880dc50
== Spawn extension (default, 0442033844680, 1) exited non-zero on ‘SIP/113.105.152.102-081faf88’
– Executing [00000442033844680@default:1] Dial(“SIP/113.105.152.103-087a76c8”, “SIP/audiocodes/000004420338446
– Called audiocodes/00000442033844680
– SIP/audiocodes-0880dc50 answered SIP/113.105.152.103-087a76c8
– Packet2Packet bridging SIP/113.105.152.103-087a76c8 and SIP/audiocodes-0880dc50
== Spawn extension (default, 00000442033844680, 1) exited non-zero on ‘SIP/113.105.152.103-087a76c8’
– Executing [0011442033844680@default:1] Dial(“SIP/113.105.152.102-0845ba08”, “SIP/audiocodes/0011442033844680

thank You for any advice

david55 · March 1, 2010, 12:50pm

What is the setting of allowguest? See recent forum archives for more details.

mazilo · March 1, 2010, 1:08pm

Is this +442033844680 called by the intruder?

system · March 1, 2010, 1:27pm

It were chinese boys,

i had allowguest to default ( yes) now i set to “no”
i filter out 5060, permit only for my sip provider

system · March 1, 2010, 1:28pm

Yes it was this number:

[Feb 21 18:06:14] VERBOSE[3369] logger.c: – Called audiocodes/00442033844680
[Feb 21 18:06:21] VERBOSE[3368] logger.c: – Local/00442033844680@default-59a6,1 is ringing
[Feb 21 18:06:21] VERBOSE[3369] logger.c: – SIP/audiocodes-0824ed08 answered Local/00442033844680@default-59a6,2
[Feb 21 18:06:21] VERBOSE[3368] logger.c: – Local/00442033844680@default-59a6,1 stopped sounds
[Feb 21 18:06:21] VERBOSE[3368] logger.c: – Local/00442033844680@default-59a6,1 answered SIP/113.105.152.104-0845ba08
[Feb 21 18:06:21] VERBOSE[3369] logger.c: == Spawn extension (default, 00442033844680, 1) exited non-zero on ‘Local/00442033844680@default-59a6,2’
[Feb 21 18:06:59] VERBOSE[3368] logger.c: == Spawn extension (default, 900442033844680, 1) exited non-zero on ‘SIP/113.105.152.104-0845ba08’

mazilo · March 1, 2010, 2:11pm

LOL …, I just called the +442033844680 number and got a british female voice recording says Your account has been disabled, please contact customer service … I don’t suppose your action to block this number caused this.