somebody was able to hacked our asterisk mysteriously and was able to access extention, inspite of such user doesn’t exist in our system! full sip debug below (I changed our real server’s IP by SERVER_IP):
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c:
<— SIP read from UDP:202.71.111.5:2269 —>
INVITE sip:01427117149111@SERVER_IP;transport=udp SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:2269;branch=11100001000101001111000111101001202.71.111.5SERVER_IP928314466;rport
Max-Forwards: 70
From: sip:2057098525@SERVER_IP;tag=3034047732102272518530340477323034047732202.71.111.5
To: sip:01427117149111@SERVER_IP
Call-ID: c8a4a20f1100001110000010011111101101011100001000101001111000111101001202.71.111.5SERVER_IP928314466246c53014271171491113034047732102272518530340477323034047732202.71.111.51013054379
CSeq: 1 INVITE
Contact: sip:246c53@202.71.111.5:2269;transport=udp
Content-Type: application/sdp
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 210
v=0
o=- 16264 18299 IN IP4 SERVER_IP
s=CounterPath eyeBeam 1.5
c=IN IP4 SERVER_IP
t=0 0
m=audio 29923 RTP/AVP 18 0 8 101
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
<------------->
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: — (12 headers 10 lines) —
[2010-09-04 18:10:24] VERBOSE[1262] netsock.c: == Using SIP RTP CoS mark 5
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Sending to 202.71.111.5 : 2269 (NAT)
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Using INVITE request as basis request - c8a4a20f1100001110000010011111101101011100001000101001111000111101001202.71.111.5SERVER_IP928314466246c53014271171491113034047732102272518530340477323034047732202.71.111.51013054379
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: No matching peer for ‘2057098525’ from ‘202.71.111.5:2269’
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Found RTP audio format 18
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Found RTP audio format 0
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Found RTP audio format 8
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Found RTP audio format 101
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Found audio description format telephone-event for ID 101
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Capabilities: us - 0x8000e (gsm|ulaw|alaw|h263), peer - audio=0x10c (ulaw|alaw|g729)/video=0x0 (nothing)/text=0x0 (nothing), combined - 0xc (ulaw|alaw)
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Non-codec capabilities (dtmf): us - 0x1 (telephone-event), peer - 0x1 (telephone-event), combined - 0x1 (telephone-event)
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Peer audio RTP is at port SERVER_IP:29923
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: Looking for 01427117149111 in default (domain SERVER_IP)
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: list_route: hop: sip:246c53@202.71.111.5:2269;transport=udp
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c:
<— Transmitting (NAT) to 202.71.111.5:2269 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 202.71.111.5:2269;branch=11100001000101001111000111101001202.71.111.5SERVER_IP928314466;received=202.71.111.5;rport=2269
From: sip:2057098525@SERVER_IP;tag=3034047732102272518530340477323034047732202.71.111.5
To: sip:01427117149111@SERVER_IP
Call-ID: c8a4a20f1100001110000010011111101101011100001000101001111000111101001202.71.111.5SERVER_IP928314466246c53014271171491113034047732102272518530340477323034047732202.71.111.51013054379
CSeq: 1 INVITE
Server: Asterisk PBX 1.6.2.6
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
Contact: sip:01427117149111@SERVER_IP
Content-Length: 0
<------------>
[2010-09-04 18:10:24] VERBOSE[20305] pbx.c: – Executing [01427117149111@default:1] NoOp(“SIP/SERVER_IP-00000728”, “”) in new stack
[2010-09-04 18:10:24] VERBOSE[20305] pbx.c: – Executing [01427117149111@default:2] NoOp(“SIP/SERVER_IP-00000728”, “Caller: 2057098525”) in new stack
[2010-09-04 18:10:24] VERBOSE[20305] pbx.c: – Executing [01427117149111@default:3] Hangup(“SIP/SERVER_IP-00000728”, “”) in new stack
[2010-09-04 18:10:24] VERBOSE[20305] pbx.c: == Spawn extension (default, 01427117149111, 3) exited non-zero on ‘SIP/SERVER_IP-00000728’
[2010-09-04 18:10:24] VERBOSE[20305] chan_sip.c: Scheduling destruction of SIP dialog ‘c8a4a20f1100001110000010011111101101011100001000101001111000111101001202.71.111.5SERVER_IP928314466246c53014271171491113034047732102272518530340477323034047732202.71.111.51013054379’ in 32000 ms (Method: INVITE)
[2010-09-04 18:10:24] VERBOSE[20305] chan_sip.c:
<— Reliably Transmitting (NAT) to 202.71.111.5:2269 —>
SIP/2.0 603 Declined
Via: SIP/2.0/UDP 202.71.111.5:2269;branch=11100001000101001111000111101001202.71.111.5SERVER_IP928314466;received=202.71.111.5;rport=2269
From: sip:2057098525@SERVER_IP;tag=3034047732102272518530340477323034047732202.71.111.5
To: sip:01427117149111@SERVER_IP;tag=as61b994f8
Call-ID: c8a4a20f1100001110000010011111101101011100001000101001111000111101001202.71.111.5SERVER_IP928314466246c53014271171491113034047732102272518530340477323034047732202.71.111.51013054379
CSeq: 1 INVITE
Server: Asterisk PBX 1.6.2.6
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
Content-Length: 0
<------------>
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c:
<— SIP read from UDP:202.71.111.5:2269 —>
ACK sip:01427117149111@SERVER_IP SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:2269;branch=11100001000101001111000111101001202.71.111.5SERVER_IP928314466;rport
Max-Forwards: 70
Contact: sip:246c53@202.71.111.5:2269;transport=udp
To: sip:01427117149111@SERVER_IP
From: sip:2057098525@SERVER_IP;tag=3034047732102272518530340477323034047732202.71.111.5
Call-ID: c8a4a20f1100001110000010011111101101011100001000101001111000111101001202.71.111.5SERVER_IP928314466246c53014271171491113034047732102272518530340477323034047732202.71.111.51013054379
CSeq: 1 ACK
User-Agent: X-Lite release 1006e stamp 34025
Content-Length: 0
<------------->
[2010-09-04 18:10:24] VERBOSE[1262] chan_sip.c: — (10 headers 0 lines) —
As you see they accessed extention:
[2010-09-04 18:10:24] VERBOSE[20305] pbx.c: – Executing [01427117149111@default:1] NoOp(“SIP/SERVER_IP-00000728”, “”) in new stack
[2010-09-04 18:10:24] VERBOSE[20305] pbx.c: – Executing [01427117149111@default:2] NoOp(“SIP/SERVER_IP-00000728”, “Caller: 2057098525”) in new stack
[2010-09-04 18:10:24] VERBOSE[20305] pbx.c: – Executing [01427117149111@default:3] Hangup(“SIP/SERVER_IP-00000728”, “”) in new stack
any help, advise, ideas, hints etc will be highly appreciated. the problem is urgent because attacks continues. thank you!