Secure Asterisk from hackers

Please be aware, I am a newb!

Our outbound dialer is working properly however it has been compromised and we cannot determine from where or how. Every five minutes a batch of International calls goes out. We have our SIP provider/gateway blocking these calls but we would like to determine the source and close the loop. Below is the batch:

-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)
-- Attempting call on SIP/s/0112698100289 for application Playback(hello) (Retry 1)

As I said, the calls are being blocked so they inevitably come back with the following:

-- Got SIP response 603 "Declined" back from x.x.x.x
-- Got SIP response 603 "Declined" back from x.x.x.x
-- Got SIP response 603 "Declined" back from x.x.x.x
-- Got SIP response 603 "Declined" back from x.x.x.x
-- Got SIP response 603 "Declined" back from x.x.x.x
-- Got SIP response 603 "Declined" back from x.x.x.x

**x.x.x.x = Our SIP Gateways IP Address

Can anyone assist me in determining how this is happening?

Thanks,
MOD2011

Hi

Ok first things first, Was teh system installed inhouse or by an external company ?

If in house oK if xternal get them back now.

Have you followed digiums advice on security ? blogs.digium.com/2009/03/28/sip-security/

You should in the logs see who(ip address) is making these calls. and then you can block it in iptables or what ever firewalll you are using

Basicly you need to secure the system better than you would a normal server as it can end up costing you REAL money

Ian
www.cyber-cottage.co.uk

Thank you for your response. I will take a hard look over the link you sent me. Where are these logs with the IP Address? And is it possible that the calls are not being made remotely but some sort of cronjob or something is already setup?

Hi

Looks as if it may be an odd job running.

try grep -lir “Playback(hello)” /etc/asterisk/

It will tell you the file that the dialplan is in.

then have a dig about.

also check your manager.conf and make sure its secure.

Ian
www.cyber-cottage.co.uk