Is this a hacking?

casp · November 16, 2012, 11:13pm

Hello.

I just saw that in my asteris-r verbose :

[Nov 16 21:56:15] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.57.84.70:5074) to extension '000972592995047' rejected because extensio                         n not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 21:56:17] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.57.84.70:5071) to extension '00972592995047' rejected because extension                          not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 21:56:20] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.57.84.70:5074) to extension '900972592995047' rejected because extensio                         n not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:44] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5071) to extension '972592871975' rejected because extension                          not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:45] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '+972592871975' rejected because extensio                         n not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:46] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '00972592871975' rejected because extensi                         on not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:48] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '900972592871975' rejected because extens                         ion not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:51] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '000972592871975' rejected because extens                         ion not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:52] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5070) to extension '0000972592871975' rejected because exten                         sion not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 23:00:05] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5071) to extension '000000972592871975' rejected because ext                         ension not found in context 'default'.

it seem to be a call try to israel.

The problem is that i don’t have any default extension on my extension.conf nor my sip.conf

is there a way to know more about how this person acceded to my asterisk ? (which sip account ?)

thank you

navaismo · November 17, 2012, 12:07am

You should set the allowguest=no in order to disallow anonymous calls attempts & also if you dont need remote extensions you shouldn’t open sip public ports in your router/firewall.

david55 · November 17, 2012, 9:28am

As noted, your allowguest is probably unsafe.

Unfortunately, this sort of attack is normal, and it is unlikely that you have been specifically targetted. Anything that is reachable from the internet via port 5060 will receive many attacks a day.

You need to assume that that such attempts will be frequent, and make sure they don’t succeed, rather than worrying about tracking down the source.

There are tools, like fail2ban, that will scan the logs and temporarily block addresses that are making multiple failed attempts, although they can only do so after some have reached Asterisk.

casp · November 18, 2012, 9:50pm

Thank you for your answer.

Now i have that :

[Nov 18 18:47:30] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1f55bf3 [Nov 18 18:47:31] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1f55bf3 [Nov 18 18:47:32] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1f55bf3 [Nov 18 18:47:34] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=0024de86 [Nov 18 18:47:35] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=0024de86 [Nov 18 18:47:35] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=0024de86 [Nov 18 18:47:38] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=dc2768f1 [Nov 18 18:47:39] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=dc2768f1 [Nov 18 18:47:39] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=dc2768f1 [Nov 18 18:47:43] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=14115deb [Nov 18 18:47:43] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=14115deb [Nov 18 18:47:48] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1c606d4 [Nov 18 18:47:49] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1c606d4 [Nov 18 18:47:49] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1c606d4 [Nov 18 18:47:53] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=5742bd4c [Nov 18 18:47:53] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=5742bd4c

is that because i changes the allowguest and the hacker is blocked ?

Thank you

david55 · November 18, 2012, 10:22pm

They were blocked by your not having a default context. They are now blocked somewhat further upstream.

casp · November 18, 2012, 10:33pm

Before changing the allowhost, i added in my extension.conf

[default] exten => s,1,Hangup()

this was a good thing to do ?

dejanst · November 19, 2012, 9:10am

Yes, this is defnitly a good thing to do.

This adds a layer of security in case the allowguest=yes. If you set allowguest=no, the calls are rejected before they reach the dialplan. But to have a Hangup() rule in the default context never hurts

Topic		Replies	Views
Someone is trying to make calls without being registered Asterisk Support	1	346	January 31, 2013
Spam (I think) Asterisk Support	5	268	March 19, 2013
Getting hacked Asterisk Support	2	153	March 15, 2011
Incoming call flood Asterisk Support	5	410	January 9, 2013
Interpretation of Logs Asterisk General	2	274	March 30, 2013

Is this a hacking?

Related topics