Somebody hacked asterisk, please help

talktt · October 15, 2011, 12:12am

Somebody hacked me with the way below. Caller makes call with channel A, then hold it or conference, ( I don’t know ), then wait channel B to be created and end channel A and at the same time get the channel B and put echo test on it which he got 20 minutes call. However asterisk only got one call record from channel A to channel B which only lasts 2 seconds. the 20 minutes call is not billed at all. I lost money because of this. Is it because direct media = yes ? How can I stop it completely ? People can use this way to get call without being billed. please help. Asterisk 1.6.20. 1.1.1.1 is hacker’s IP and 2.2.2.2 is carrier’s IP. Michael

[Oct 14 03:01:00] VERBOSE[21505] pbx.c: [Oct 14 03:01:00] VERBOSE[21505] res_agi.c: [Oct 14 03:01:00] VERBOSE[21505] res_agi.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] netsock.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:00] VERBOSE[21505] channel.c: [Oct 14 03:01:00] VERBOSE[21505] app_dial.c: [Oct 14 03:01:01] VERBOSE[21505] app_dial.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:02] VERBOSE[21512] pbx.c: [Oct 14 03:01:02] VERBOSE[21512] pbx.c: [Oct 14 03:01:02] VERBOSE[21512] file.c: [Oct 14 03:01:02] VERBOSE[21505] res_agi.c: [Oct 14 03:01:02] VERBOSE[21505] pbx.c: [Oct 14 03:01:21] VERBOSE[21512] pbx.c: [Oct 14 [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: [Oct 14 03:19:49] VERBOSE[21512] pbx.c: – Executing [23222280461@a2billing:1] AGI(“SIP/1122334455-0000051e”, “a2billing.php”) in new stack
– Launched AGI Script /var/lib/asterisk/agi-bin/a2billing.php
– AGI Script Executing Application: (DIAL) Options: (SIP/MyTrunk/23222280461,60,HRL(487000:61000:30000))
– Limit Data for this call:
> timelimit = 487000
> play_warning = 61000
> play_to_caller = yes
> play_to_callee = no
> warning_freq = 30000
> start_sound =
> warning_sound = timeleft
> end_sound =
== Using SIP RTP CoS mark 5
– Called MyTrunk/23222280461
– SIP/1122334455-0000051e requested special control 16, passing it to SIP/MyTrunk-0000051f
– Music class default requested but no musiconhold loaded.
– SIP/1122334455-0000051e requested special control 20, passing it to SIP/MyTrunk-0000051f
– SIP/MyTrunk-0000051f answered SIP/1122334455-0000051e
– Executing [h@a2billing:1] NoOp(“SIP/1122334455-0000051e”, ““extended CDR””) in new stack
– Executing [h@a2billing:2] Set(“SIP/1122334455-0000051e”, “CDR(hangupcause)=16”) in new stack
– Executing [h@a2billing:3] Set(“SIP/1122334455-0000051e”, “CDR(peerip)=1.1.1.1”) in new stack
– Executing [h@a2billing:4] Set(“SIP/1122334455-0000051e”, “CDR(recvip)=1.1.1.1”) in new stack
– Executing [h@a2billing:5] Set(“SIP/1122334455-0000051e”, “CDR(from)=sip:1122334455@xxx.sip.com”) in new stack
– Executing [h@a2billing:6] Set(“SIP/1122334455-0000051e”, “CDR(uri)=sip:1122334455@1.1.1.1:26976”) in new stack
– Executing [h@a2billing:7] Set(“SIP/1122334455-0000051e”, “CDR(useragent)=eyeBeam release 1100l stamp 46320”) in new stack
– Executing [h@a2billing:8] Set(“SIP/1122334455-0000051e”, “CDR(codec1)=ulaw”) in new stack
– Executing [h@a2billing:9] Set(“SIP/1122334455-0000051e”, “CDR(codec2)=ulaw”) in new stack
– Executing [h@a2billing:10] Set(“SIP/1122334455-0000051e”, “CDR(llp)=0”) in new stack
– Executing [h@a2billing:11] Set(“SIP/1122334455-0000051e”, “CDR(rlp)=5730650”) in new stack
– Executing [h@a2billing:12] Set(“SIP/1122334455-0000051e”, “CDR(ljitt)=3”) in new stack
– Executing [h@a2billing:13] Set(“SIP/1122334455-0000051e”, “CDR(rjitt)=16961196”) in new stack
– Executing [*5@a2billing:1] Answer(“SIP/MyTrunk-0000051f”, “1”) in new stack
– Executing [*5@a2billing:2] Playback(“SIP/MyTrunk-0000051f”, “demo-echotest”) in new stack
– <SIP/MyTrunk-0000051f> Playing ‘demo-echotest.slin’ (language ‘en’)
– <SIP/1122334455-0000051e>AGI Script a2billing.php completed, returning 4
== Spawn extension (a2billing, 23222280461, 1) exited non-zero on ‘SIP/1122334455-0000051e’
– Executing [*5@a2billing:3] Echo(“SIP/MyTrunk-0000051f”, “”) in new stack
03:19:49] VERBOSE[21512] pbx.c: == Spawn extension (a2billing, *5, 3) exited non-zero on ‘SIP/MyTrunk-0000051f’
– Executing [h@a2billing:1] NoOp(“SIP/MyTrunk-0000051f”, ““extended CDR””) in new stack
– Executing [h@a2billing:2] Set(“SIP/MyTrunk-0000051f”, “CDR(hangupcause)=0”) in new stack
– Executing [h@a2billing:3] Set(“SIP/MyTrunk-0000051f”, “CDR(peerip)=2.2.2.2”) in new stack
– Executing [h@a2billing:4] Set(“SIP/MyTrunk-0000051f”, “CDR(recvip)=2.2.2.2”) in new stack
– Executing [h@a2billing:5] Set(“SIP/MyTrunk-0000051f”, “CDR(from)=”) in new stack
– Executing [h@a2billing:6] Set(“SIP/MyTrunk-0000051f”, “CDR(uri)=sip:23222280461@2.2.2.2:5060”) in new stack
– Executing [h@a2billing:7] Set(“SIP/MyTrunk-0000051f”, “CDR(useragent)=Cisco-SIPGateway/IOS-12.x”) in new stack
– Executing [h@a2billing:8] Set(“SIP/MyTrunk-0000051f”, “CDR(codec1)=g729”) in new stack
– Executing [h@a2billing:9] Set(“SIP/MyTrunk-0000051f”, “CDR(codec2)=g729”) in new stack
– Executing [h@a2billing:10] Set(“SIP/MyTrunk-0000051f”, “CDR(llp)=0”) in new stack
– Executing [h@a2billing:11] Set(“SIP/MyTrunk-0000051f”, “CDR(rlp)=0”) in new stack
– Executing [h@a2billing:12] Set(“SIP/MyTrunk-0000051f”, “CDR(ljitt)=3”) in new stack
– Executing [h@a2billing:13] Set(“SIP/MyTrunk-0000051f”, “CDR(rjitt)=3”) in new stack

david55 · October 15, 2011, 9:23am

CDRs cannot cope with complex cases well, you need to use channel even logging (new in 1.8 ).

talktt · October 16, 2011, 10:40pm

David. thanks for your reply. CEL should improve the situation. I installed 1.8 with CEL enabled and billing is basically based on AGI dial and get answertime from AGI. Does billing need to be changed to catch more events from CEL or no need to change anything from 1.6 to 1.8 ?

Topic		Replies	Views
Ghost Call from Asterisk Asterisk Support	0	222	October 6, 2011
Hacked? Asterisk Support	5	321	March 1, 2010
Help with my system Asterisk Support	3	273	October 31, 2012
V. 1.8.4 fake ring Asterisk Support	14	1877	August 11, 2011
Asterisk Disconnect Call around 90 second Asterisk Support	13	1098	January 25, 2012

Somebody hacked asterisk, please help

Related topics