Hi all, I believe our server got hacked:
I had USD 80 remaining on a sip trunk provider yesterday (our consumption was USD 20 in past 4 months) and this morning this trunk showed USD 0 balance.
I charged again USD 100 and they were gone more or less instantly.
I believe somebody managed to register at our server and use that trunk.
I have a console permanently opened and I can see strange things:
-- Executing [011972597281478@inbound:1] Goto("SIP/54.72.233.192-0000065d", "+3311972597281478,1") in new stack
[inbound:1 sounds strange to me]
-- Executing [+381114090713@inbound:1] Wait("SIP/54.72.233.192-000005c1", "1") in new stack
-- <SIP/54.72.233.192-000005be>AGI Script googletts.agi completed, returning 0
-- Executing [+381655374968@inbound:3] Set("SIP/54.72.233.192-000005be", "CALLFILENAME=+381655374968-20140918-125735)") in new stack
-- Executing [+381655374968@inbound:4] Monitor("SIP/54.72.233.192-000005be", "wav,+381655374968-20140918-125735),m") in new stack
-- Executing [+381655374968@inbound:5] Set("SIP/54.72.233.192-000005be", "CALLERID(num)=+339****1556") in new stack
-- Executing [+381655374968@inbound:6] Dial("SIP/54.72.233.192-000005be", "SIP/idtexpress/+381655374968") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/idtexpress/+381655374968
-- Got SIP response 503 "Service Unavailable" back from 66.33.147.149:5060
-- SIP/idtexpress-000005c2 is circuit-busy
== Everyone is busy/congested at this time (1:0/1/0)
-- Executing [+381655374968@inbound:7] Dial("SIP/54.72.233.192-000005be", "SIP/idtexpress2/+381655374968") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/idtexpress2/+381655374968
-- Executing [+381114090713@inbound:2] AGI("SIP/54.72.233.192-000005c1", "googletts.agi,"Your call is placed through IDT express trunk",en") in new stack
-- Launched AGI Script /var/lib/asterisk/agi-bin/googletts.agi
-- Playing '/tmp/88e52685d2803eaccd8a8ad90d0e9539' (escape_digits=) (sample_offset 0)
-- Got SIP response 503 "Service Unavailable" back from 216.53.4.1:5060
-- SIP/idtexpress2-000005c3 is circuit-busy
== Everyone is busy/congested at this time (1:0/1/0)
-- Auto fallthrough, channel 'SIP/54.72.233.192-000005be' status is 'CONGESTION'
-- <SIP/54.72.233.192-000005c1>AGI Script googletts.agi completed, returning 0
-- Executing [+381114090713@inbound:3] Set("SIP/54.72.233.192-000005c1", "CALLFILENAME=+381114090713-20140918-125740)") in new stack
-- Executing [+381114090713@inbound:4] Monitor("SIP/54.72.233.192-000005c1", "wav,+381114090713-20140918-125740),m") in new stack
-- Executing [+381114090713@inbound:5] Set("SIP/54.72.233.192-000005c1", "CALLERID(num)=+339****1556") in new stack
-- Executing [+381114090713@inbound:6] Dial("SIP/54.72.233.192-000005c1", "SIP/idtexpress/+381114090713") in new stack
[We never called those devices]
Can you direct me to where the security breach is located?
Thanks