my old trixbox pbx has been hacked and i cant get to understand how the attacker got in.
What i need is a mix of voip and networking help!
No inbound connection to the pbx is allowed through the firewall. But the attacker managed to register as one of our extensions and make phone calls.
As fas as i can see, it all started with a sequence of registration attempts, with different non existing extensions, till a good extension has been met.
All these failed registration entries look the same:
NOTICE chan_sip.c: Registration from ‘“NNNN” sip:NNNN@[Y.Y.Y.Y:65476]:5060’ failed for ‘X.X.X.X’ - No matching peer found
NNNN is a random extension number, always different
Y.Y.Y.Y is my public wan interface IP followed by a high port (always the same, 65476)
X.X.X.X is the public ip where the attacker comes from
Can you explain the meaning of these connections? where are these connections actually coming from?
any help will be really appreciated!