Fail2Ban - successful auth from unknown account


(Mmgg) #1

I’ve been analizig the fail2ban log in /var/log/asterisk/fail2ban and I found some suspicious lines:

[2021-06-04 16:33:37] SECURITY[1083] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2021-06-04T16:33:37.244-0400”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“000358457751160”,SessionID=“0x7f7a38ea2fa0”,LocalAddress=“IPV4/UDP/MY-SERVER-IP/5060”,RemoteAddress=“IPV4/UDP/185.209.178.30/8362”,UsingPassword=“1”

This appears to be a successful login by account 000358457751160. But there is no such an account on my installation. This is not the only of such log entries. There are lots of different accounts which don’t exist.

I don’t understand why this is logged as SuccessfulAuth.

Does anyone have an idea what’s going on?

Thanks Very much!
Michael


#2

That password has been leaked or an account has been inserted.


#3

As this was only 2 days ago, you should still have /var/log/asterisk/full* and can see what happened at that time. Also, see whether these bogus extensions have actually been created.

If so, the only safe path may be to start over with a new installation and secure it properly.


#4

I just noticed that +358457751160 is a valid Finland mobile number on DNA. If your system requires an initial 0 to dial external numbers and uses 00 as the international prefix, then 000358457751160 would be a valid number to dial on your system and may have been set up e.g. to forward calls to an associate’s mobile.


(Mmgg) #5

That was my first thought. My system got compromised and someone created lots of extensions. However, there is no trace of any suspicious activity other than those log statements.

I searched through all config files for those account numbers but there’s no trace.


#6

Is there any entry in the Asterisk log at [2021-06-04 16:33:37]?

Does your organization have any connection to Finland?


#7

Are these also valid numbers to call?


#8

That something can create accounts and use them without leaving a trace is concerning.

Please save a copy of that machine, there are likely some folks that would like to forensically analyse it.


(Mmgg) #9

I have a suspicion that the issue is related to this:
https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass

I have updated all modules to the latest version. Now I’m trying to install the firewall module.


(system) closed #10

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.