Help to detect the possible hacker attack

Hello I am user from Asterisk 13.21.1 with PJSIP project with DB integration with MySQL and in the last 24 hours my server was invaded and someone is trying to make many calls with my differents endpoints with different and complex passwords.

I don’t know how it’s is possible because I cant find the contacts connected in my server, but I got some attempts of calls in the CLI Console and the calls made in the CDR log.

I don’t know if exist any bug in my Asterisk version that can explain that or if my DB was attacked. Can anyone help me?

I use fail2ban too in DB and in the Asterisk server.

check for SQL injection

sql Injection can allow the hack make calls?

  1. if is using different and complex password it means the hacker doesnt have the real password for the endpoints, so it could be posible you re victim of a brute force attack and also you have guest calls enabled reason why you receive this type of calls

Thanks for the answer, brute force attack was not because I use the fail2ban and was not blocked… and the hacker made calls with different endpoints of my list, But I don’t know if for that him use the password. At least I didn’t find him in the contact list.

sure iam telling you from experience

they can get the user info and use it etc

check witch user see what sql he was using

Contacts are for telling Asterisk where to send requests such as calls to the phone/device. It’s not used for outbound calls from the device. The device just needs to be able to present proper auth creds when the INVITE is challenged.

The fact they can auth against your endpoints with valid creds sounds like they got into your system.

are the calls going out ?or just to congestion ?

I can’t say, I haven’t seen any logs or CDR snippets to give a correct answer.