Am I being hacked?

jay69 · November 4, 2013, 2:53pm

When I look at the CDR Report from the weekend, when we are closed I get the following in the CDR report. Sorry for the formatting its a little messy.

The second part below is what I get when I click on a call and look at the details.

Thanks in advance for looking,


Call Date	Recording	System	CallerID	Outbound CallerID	DID	App	Destination	Disposition	Duration	Userfield	Account	CDR Table	CDR Graph
2013-11-03 01:28:19		1383460099.15649	2002			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-03 01:28:18		1383460098.15648	2002			Answer	s [from-sip-external]	ANSWERED	00:01				
2013-11-03 01:28:17		1383460097.15647	2002			Answer	s [from-sip-external]	ANSWERED	00:01				
2013-11-03 01:10:32		1383459032.15646	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-03 00:18:27		1383455907.15645	6001			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-03 00:18:26		1383455906.15644	6001			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-03 00:18:25		1383455905.15643	6001			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 23:53:38		1383454418.15642	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-02 23:08:32		1383451712.15641	800			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 23:08:31		1383451711.15640	800			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 23:08:30		1383451710.15639	800			Answer	s [from-sip-external]	ANSWERED	00:01				
2013-11-02 22:37:58		1383449878.15638	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-02 21:55:02		1383447302.15637	0123456			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 21:55:01		1383447301.15636	0123456			Answer	s [from-sip-external]	ANSWERED	00:01				
2013-11-02 21:55:00		1383447300.15635	0123456			Wait	s [from-sip-external]	ANSWERED	00:01				
2013-11-02 21:22:18		1383445338.15634	100			Congestion	s [from-sip-external]	ANSWERED	00:12				
2013-11-02 20:06:51		1383440811.15633	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-02 18:51:27		1383436287.15632	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-02 17:35:16		1383431716.15631	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-02 16:19:49		1383427189.15630	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-02 16:16:16		1383426976.15629	1002			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 16:16:14		1383426974.15628	1002			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 16:16:11		1383426971.15627	1002			Answer	s [from-sip-external]	ANSWERED	00:01				
2013-11-02 16:16:09		1383426969.15626	1002			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 15:03:30		1383422610.15625	100			Congestion	s [from-sip-external]	ANSWERED	00:13				
2013-11-02 14:06:59		1383419219.15624	8000000			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 14:06:56		1383419216.15623	8000000			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 14:06:54		1383419214.15622	8000000			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 14:06:51		1383419211.15621	8000000			Answer	s [from-sip-external]	ANSWERED	00:00				
2013-11-02 13:47:58		1383418078.15620	100			Congestion	s [from-sip-external]	ANSWERED	00:12

This was a 13 second call, I changed the IP to X’s.


Time	Event	CNAM	CNUM	ANI	DID	AMA	exten	context	App	channel	UserDefType	EventExtra	CEL Table
2013-11-02 16:19:49	CHAN_START	100	100			DEFAULT	7011448708752617	from-sip-external		SIP/xxx.x.xxx.xxx-00003a40				
2013-11-02 16:19:49	ANSWER	100	100	100	7011448708752617	DEFAULT	s	from-sip-external	Answer	SIP/xxx.x.xxx.xxx-00003a40				
2013-11-02 16:20:02	HANGUP	100	100	100	7011448708752617	DEFAULT	h	from-sip-external		SIP/xxx.x.xxx.xxx-00003a40				
2013-11-02 16:20:02	CHAN_END	100	100	100	7011448708752617	DEFAULT	h	from-sip-external		SIP/xxx.x.xxx.xxx-00003a40				
2013-11-02 16:20:02	LINKEDID_END	100	100	100	7011448708752617	DEFAULT	h	from-sip-external		SIP/xxx.x.xxx.xxx-00003a40

alan · November 4, 2013, 3:26pm

Looks like you are being probed. Is you system exposed to the internet? Are you allowing SIP in from all hosts.

jay69 · November 4, 2013, 4:16pm

Yes we are exposed to the internet for SIP, one IAX trunk down a VPN and one POTS Gateway.

Allow SIP Guests = Yes
Allow Anonymous Inbound SIP Calls = No

jolouis · November 4, 2013, 10:03pm

Your settings of:
Allow SIP Guests = Yes
Allow Anonymous Inbound SIP Calls = No

Mean that your box will allow anyone to dial your IP via SIP. When your system answers, because you have Allow Anonymous Inbound set to No, the system will playback a message telling the caller that there is no service/routing available for them. The 10-13 seconds you are seeing in the calls is the time it takes for Asterisk to play this “No service available” message.

If you want to avoid this problem, either disable port 5060 inbound on your firewall (it shouldn’t be open unless you really need it anyways), or at the very least set Allow SIP Guests to No, since you obviously aren’t expecting direct IP calls.

jay69 · November 5, 2013, 1:31pm

jolouis

Thanks for the reply. I set Allow SIP Guest = No and from what I seen thus far that seemed to take care of it. I will look to disable port 5060 as well, I was thinking that port needed to be open for some reason but will give it a try.

Thanks again,

Jay

jolouis · November 5, 2013, 2:12pm

Hey Jay,

Port 5060 only needs to be open if you have phones/devices off site that you want to be able to register to your FPBX system. Just make sure that your trunk has qualify=yes (this will keep port 5060 open for only the IP of your SIP trunk provider’s switch), and you can then safely block port 5060 on the firewall.

jay69 · November 5, 2013, 2:52pm

At first I just denied all SIP/5060 and the trunks would fail, as expected.

I then added qualify=yes to the trunks and our main trunk would register and works just fine.

But its always something. We have a CallCentric backup trunk and that trunk does not register, times out. CallCentric is always a challenge it seems.

Here is the peer details:


videosupport=no
type=peer&peer&peer
session-timers=refuse
secret=XXXXXXXXX
insecure=port,invite
host=callcentric.com
fromuser=XXXXXXXXXX
fromdomain=callcentric.com
disallowed_methods=UPDATE
disallow=all
directmedia=no
defaultuser=XXXXXXXX
context=from-pstn
allow=ulaw
qualify=yes

I wanted to disable the Allow Anonymous Inbound SIP Calls setting using CallCentic so added the following sip_custom_post.conf file:


[callcentric1](callcentric); 
host=alpha1.callcentric.com 
callcentric2;

host=alpha2.callcentric.com
callcentric3;

host=alpha3.callcentric.com
callcentric4;

host=alpha4.callcentric.com
callcentric5;

host=alpha5.callcentric.com
callcentric6;

host=alpha6.callcentric.com
callcentric7;

host=alpha7.callcentric.com
callcentric8;

host=alpha8.callcentric.com
callcentric9;

host=alpha9.callcentric.com
callcentric10;

host=alpha10.callcentric.com
callcentric10;

host=alpha11.callcentric.com
callcentric11;

host=alpha11.callcentric.com
callcentric12;

host=alpha12.callcentric.com
callcentric13;

host=alpha13.callcentric.com
callcentric14;

host=alpha14.callcentric.com
callcentric15;

host=alpha15.callcentric.com
callcentric16;

host=alpha16.callcentric.com
callcentric17;

host=alpha17.callcentric.com
callcentric18;

host=alpha18.callcentric.com
callcentric19;

host=alpha19.callcentric.com
callcentric20;

host=alpha20.callcentric.com

jay69 · November 5, 2013, 3:11pm

Looks now to be working, maybe CallCentric had to flush out or something. Will keep and eye on it for a little bit longer here.

Thanks

Jay