Hacker?

Asterisk Asterisk Support
1

There are few suspect calls today on my asterisk box. I did some research and it seems someone is hacking me.

  1. One of the logged call:
  1. So I set up a trap to get more info. Later I captured a call:

[quote] – Executing [8103619990124@from-trunk:1] Answer(“SIP/216.75.62.68-0023d8f0”, “”) in new stack
– Executing [8103619990124@from-trunk:2] NoOp(“SIP/216.75.62.68-0023d8f0”, “>>>>>>>>>>>Hacker?<<<<<<<<<<<<<<”) in new stack
– Executing [8103619990124@from-trunk:3] Set(“SIP/216.75.62.68-0023d8f0”, “CDR(userfield)=Hacker Alert”) in new stack
– Executing [8103619990124@from-trunk:4] Playback(“SIP/216.75.62.68-0023d8f0”, “away-naughty-girl”) in new stack
– <SIP/216.75.62.68-0023d8f0> Playing ‘away-naughty-girl.ulaw’ (language ‘en’)
– Executing [8103619990124@from-trunk:5] Hangup(“SIP/216.75.62.68-0023d8f0”, “”) in new stack[/quote]

So the hacker try to inject a SIP call from my box. The caller ID name is MeucciSolutions
But according to this:
meucci-solutions.com/complaints.asp?id=1
So MeucciSolutions is a fake caller ID. (or maybe not?)

But one thing is clear is the IP address:
216.75.62.68 (trace route shows it located in San Diego, California. And it has a domain name centos56268.aspadmin.net)

So I think someone try to hack my system from 216.75.62.68. If this is true, then my question is what I can do with it? (Of course I can block that IP. But I want have some fun with them. Any suggestion?)

If it is not a hacker, then what is it?

2

Hi

Add their IP address to your firewall.
It looks like they have moved, the calls used to be coming from florida.
I guess they have been shut down there.

Ian

3

The actual error is a 404 error that they are unable to dial the extension that they were dialing. How are they getting this far or is this in your default context for sip.conf where you do not let any outbound calls ?

I have never used it but I hear that fail2ban works well. I usually have in my sip.conf

Exten => X.,1,Ringing
Exten => X.,2,Wait(30)
Exten => X.,3,Hangup

You can do this to waste their time so they are busy with a secure server than some poor guy that will be taken.

4

fail2ban could be dangerous. If I was malicious and found that you were auto banning my ip address I could very easily spoof multiple failed logins from some service that you actually care about and then cause a denial of service. For example, I could spoof failed logins from a SIP proxy of a provider that you use for termination which would effectively knock off your service.

Auto banning can be used against you…