My PC with Asterisk 1.8.11.1+FreePBX 2.10.0 has been hacked, but I do not understand how?!
I am just a beginner with Asterisk (running it just a couple of months).
The attacker (or attackers?) (Egypt origin or proxy/vpn in Egypt) did not get the password from the extension, how ever he managed to get calls through around 500 times
and emptied my VOIP account for 1 hour during night time (Thanks god I did not have auto-recharge on that )!
Here is the part of a log file with incorrect registrations attempts -
[2012-05-07 04:20:15] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:21:36] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:24:16] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:29:37] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:40:17] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.6.149:10000’ - Wrong password
[2012-05-07 04:52:17] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.164:10508’ - Wrong password
[2012-05-07 04:52:37] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.164:10508’ - Wrong password
[2012-05-07 04:56:48] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.164:10709’ - Wrong password
[2012-05-07 04:58:54] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10000’ - Wrong password
[2012-05-07 04:59:14] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10000’ - Wrong password
[2012-05-07 05:12:08] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10003’ - Wrong password
[2012-05-07 05:12:29] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10003’ - Wrong password
[2012-05-07 06:22:29] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.5.23:10033’ - Wrong password
Here is the part of a log file of successful calls after unsuccessful extension registration!!! (Unfortunately debug is off)
[2012-05-07 04:29:11] VERBOSE[28584] netsock2.c: == Using SIP RTP TOS bits 184
[2012-05-07 04:29:11] VERBOSE[28584] netsock2.c: == Using SIP RTP CoS mark 5
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [0088213090436@from-internal:1] Macro(“SIP/100-0000031c”, “user-callerid,LIMIT,”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-user-callerid:1] Set(“SIP/100-0000031c”, “AMPUSER=100”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-user-callerid:2] GotoIf(“SIP/100-0000031c”, “0?report”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:12] GosubIf(“SIP/100-0000031c”, “0?sub-flp-3,s,1()”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:13] Set(“SIP/100-0000031c”, “OUTNUM=0088213090436”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:14] Set(“SIP/100-0000031c”, “custom=SIP/CheapVOIPtrunk”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:15] ExecIf(“SIP/100-0000031c”, “0?Set(DIAL_TRUNK_OPTIONS=M(setmusic^default))”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:16] ExecIf(“SIP/100-0000031c”, “0?Set(DIAL_TRUNK_OPTIONS=M(confirm))”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:17] Macro(“SIP/100-0000031c”, “dialout-trunk-predial-hook,”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk-predial-hook:1] MacroExit(“SIP/100-0000031c”, “”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:18] GotoIf(“SIP/100-0000031c”, “0?bypass,1”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:19] ExecIf(“SIP/100-0000031c”, “1?Set(CONNECTEDLINE(num,i)=0088213090436)”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:20] ExecIf(“SIP/100-0000031c”, “1?Set(CONNECTEDLINE(name,i)=CID:100)”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:21] GotoIf(“SIP/100-0000031c”, “0?customtrunk”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:22] Set(“SIP/100-0000031c”, “D_LOPT=”"") in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:23] Set(“SIP/100-0000031c”, “ARG1=300”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:31] Dial(“SIP/100-0000031c”, “SIP/CheapVOIPtrunk/0088213090436,300,”"") in new stack
[2012-05-07 04:29:11] VERBOSE[3502] netsock2.c: == Using SIP RTP TOS bits 184
[2012-05-07 04:29:11] VERBOSE[3502] netsock2.c: == Using SIP RTP CoS mark 5
[2012-05-07 04:29:12] VERBOSE[3502] app_dial.c: – Called SIP/CheapVOIPtrunk/0088213090436
I have closed port 5060 now for all foreign IPs.
Egyptians continue to try, but without success now.
Any idea guys what it was and how it was done?!