Interpretation of Logs

Asterisk Asterisk General
1

I noticed these calls to these unusual extension attempts from Palestine IPs. Based on this I think that I have been hacked (I’m secretly hoping for someone to disagree here and explain), so I changed the pasword to a 12+ letter\number\punctuation password.

I am running dd-wrt Optware as the platform for Asterisk. Only port 22 is responsive. This callcentric account has no funding attached, so they can not run up the bill.

Is my interetation correct and response adequate?

Logfile:
[Mar 28 17:06:51] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.85.183:13305) to extension ‘800448702950309’ rejected because extension not found in context ‘from-callcentric’.
[Mar 28 23:26:07] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.86.170:10000) to extension ‘010448702950307’ rejected because extension not found in context ‘from-callcentric’.
[Mar 29 08:47:19] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.85.213:16955) to extension ‘0015448702950307’ rejected because extension not found in context ‘from-callcentric’.
[Mar 29 08:56:47] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.85.213:18560) to extension ‘0015’ rejected because extension not found in context ‘from-callcentric’.
[Mar 29 12:52:46] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.85.62:14099) to extension ‘810448702950307’ rejected because extension not found in context ‘from-callcentric’.
[Mar 29 14:24:19] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.85.111:11027) to extension ‘0015448702950309’ rejected because extension not found in context ‘from-callcentric’.
[Mar 29 17:45:20] NOTICE[24949] chan_sip.c: Peer ‘101’ is now UNREACHABLE! Last qualify: 13
[Mar 29 21:25:57] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.86.251:10000) to extension ‘1011448702950309’ rejected because extension not found in context ‘from-callcentric’.
[Mar 29 21:46:07] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.86.251:15812) to extension ‘810448702950307’ rejected because extension not found in context ‘from-callcentric’.
[Mar 29 23:07:41] NOTICE[24949] chan_sip.c: Call from ‘’ (188.161.86.251:10006) to extension ‘011448702950309’ rejected because extension not found in context ‘from-callcentric’.

2

There is no definite evidence that you have been hacked. If mere attempts sufficed, every Windows system on the internet would fall in that category!

The form of the log messages suggests you are using an obsolete version of Asterisk.

I am concerned that you are getting calls reaching your from-callcentric context when they don’t have callcentric addresses. That suggests either the misuse of type=friend, or you have that as your default context and you have allowguest not disabled.

Port 5060/UDP is also clearly responsive.

You should make sure that allowguest is no, and the callcentric section is type=peer. You would be well advised to set a firewall to restrict access to just your local network and known Callcentric servers.

If using a current asterisk, you should be using the security log for attack information.

Unfortunately, the geographic source probably has more to do with geo-politics than IP telephony, so getting them blocked at source may be difficult.

This is the wrong forum for support questions.

3

@david55: as usual, you have provided excellent actionable guidance. Thank you. I’ll look into the suggest context changes.

For those that are following along the context is that this is a home network environment and details of the Asterisk platform include:

root@ROUTER:~# uname -a
Linux ROUTER 2.6.24.111 #3416 Sun Nov 21 04:56:48 CET 2010 mips GNU/Linux
root@ROUTER:~# asterisk -rx "core show version"
Asterisk 1.8.18.0 built by slug @ imitron on a i686 running Linux on 2012-11-13 01:27:48 UTC

Asterisk is running on a router and all network devices sit behind the router. Only port 22 is resposnsive for remote access purposes.