Security -- hacker with sip: account id

I am looking for some insight as to what the hacker is trying to do. My security log has the following message (some data changed)

[color=#BF8040][Nov 9 20:46:56] SECURITY[1944]: res_security_log.c:116 security_event_stasis_cb: SecurityEvent=“ChallengeSent”,EventTV=“2015-11-09T20:46:56.647-0800”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID="[/color][color=#0040FF]sip:101@[/color][color=#BF8040]",SessionID=“0x7fxxxxxx”,LocalAddress=“IPV4/UDP//5060”,RemoteAddress=“IPV4/UDP/[/color][color=#0000FF][/color][color=#BF8040]/5070”,Challenge=“2exxxxxx”[/color]

What is interesting is I don’t have any registration failures but clearly someone is trying to access something. It is intersting that the accountID which should be my phone number is a SIP address.

What seems spooky is that Asterisk appears to then tries to do something and then produces a timeout message.

[color=#BF8040][Nov 9 20:59:27] WARNING[1934]: chan_sip.c:4071 retrans_pkt: [/color][color=#4040FF]Timeout on 97xxxxxxxxxxxxxxxxxxx on non-critical invite transaction[/color]]

So I am trying to figure out what the person is trying to do so I can check my security and ensure they won’t be successful.

Any suggestions would be appreciated.

You need not register to send an invite nor to make a successful call. therefore the log may not show a failed registration.

Looking at the SIP messages will probably tell you more

The SecurityEvent is "ChallengeSent , this Raised when an Asterisk service sends an authentication challenge to a request.


Hacker is trying to make calls through your Asterisk server.

Asterisk sends an authentication challenge to the hacker request.

Use iptables and block the RemoteAddress … llengeSent