Hello I am user from Asterisk 13.21.1 with PJSIP project with DB integration with MySQL and in the last 24 hours my server was invaded and someone is trying to make many calls with my differents endpoints with different and complex passwords.
I don’t know how it’s is possible because I cant find the contacts connected in my server, but I got some attempts of calls in the CLI Console and the calls made in the CDR log.
I don’t know if exist any bug in my Asterisk version that can explain that or if my DB was attacked. Can anyone help me?
I use fail2ban too in DB and in the Asterisk server.
if is using different and complex password it means the hacker doesnt have the real password for the endpoints, so it could be posible you re victim of a brute force attack and also you have guest calls enabled reason why you receive this type of calls
Thanks for the answer, brute force attack was not because I use the fail2ban and was not blocked… and the hacker made calls with different endpoints of my list, But I don’t know if for that him use the password. At least I didn’t find him in the contact list.
Contacts are for telling Asterisk where to send requests such as calls to the phone/device. It’s not used for outbound calls from the device. The device just needs to be able to present proper auth creds when the INVITE is challenged.
The fact they can auth against your endpoints with valid creds sounds like they got into your system.