Hello All,
Running: 6.12.65-32
Trying to figure out how someone has made several international calls.
IPS in this log: 1.2.3.4 is the PBX and 5.6.7.8 is the hacker.
I verified the extension they appeared at had an outrageous password as automatically generated, so this may be some other method of authenticating.
Since I can see the IP I used that to search all log files and can only see the IP in the fail2ban logging in /var/log/astersk
The log shows that they are passing the international number they want to dial in the âAccountIDâ value.
fail2ban-20161007:[2016-10-06 23:10:30] SECURITY[7788] res_security_log.c: SecurityEvent=âSuccessfulAuthâ,EventTV=â1475809830-790217â,Severity=âInformationalâ,Service=âSIPâ,EventVersion=â1â,AccountID=â0112917162381â,SessionID=â0x7fe55ca2dc68â,LocalAddress=âIPV4/UDP/1.2.3.4/5060â,RemoteAddress=âIPV4/UDP/5.6.7.8/6036â,UsingPassword=â1"
fail2ban-20161007:[2016-10-06 23:12:18] SECURITY[7788] res_security_log.c: SecurityEvent=âChallengeSentâ,EventTV=â1475809938-832691â,Severity=âInformationalâ,Service=âSIPâ,EventVersion=â1â,AccountID="sip:[email protected]â,SessionID=â0x7fe55c4f60d8â,LocalAddress=âIPV4/UDP/1.2.3.4/5060â,RemoteAddress=âIPV4/UDP/5.6.7.8/6036â,Challenge="14863ecb"
fail2ban-20161007:[2016-10-06 23:12:19] SECURITY[7788] res_security_log.c: SecurityEvent=âSuccessfulAuthâ,EventTV=â1475809939-54614â,Severity=âInformationalâ,Service=âSIPâ,EventVersion=â1â,AccountID=â01150427888372â,SessionID=â0x7fe55c4f60d8â,LocalAddress=âIPV4/UDP/1.2.3.4/5060â,RemoteAddress=âIPV4/UDP/5.6.7.8/6036â,UsingPassword=â1"
fail2ban-20161007:[2016-10-06 23:12:24] SECURITY[7788] res_security_log.c: SecurityEvent=âChallengeSentâ,EventTV=â1475809944-888588â,Severity=âInformationalâ,Service=âSIPâ,EventVersion=â1â,AccountID="sip:[email protected]â,SessionID=â0x7fe55cad6eb8â,LocalAddress=âIPV4/UDP/1.2.3.4/5060â,RemoteAddress=âIPV4/UDP/5.6.7.8/6036â,Challenge="36b601ee"
fail2ban-20161007:[2016-10-06 23:12:25] SECURITY[7788] res_security_log.c: SecurityEvent=âSuccessfulAuthâ,EventTV=â1475809945-108512â,Severity=âInformationalâ,Service=âSIPâ,EventVersion=â1â,AccountID=â01150427888372â,SessionID=â0x7fe55cad6eb8â,LocalAddress=âIPV4/UDP/1.2.3.4/5060â,RemoteAddress=âIPV4/UDP/5.6.7.8/6036â,UsingPassword=â1â