Fail2Ban - successful auth from unknown account

mgrue · June 6, 2021, 3:45pm

I’ve been analizig the fail2ban log in /var/log/asterisk/fail2ban and I found some suspicious lines:

[2021-06-04 16:33:37] SECURITY[1083] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2021-06-04T16:33:37.244-0400”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“000358457751160”,SessionID=“0x7f7a38ea2fa0”,LocalAddress=“IPV4/UDP/MY-SERVER-IP/5060”,RemoteAddress=“IPV4/UDP/185.209.178.30/8362”,UsingPassword=“1”

This appears to be a successful login by account 000358457751160. But there is no such an account on my installation. This is not the only of such log entries. There are lots of different accounts which don’t exist.

I don’t understand why this is logged as SuccessfulAuth.

Does anyone have an idea what’s going on?

Thanks Very much!
Michael

dicko · June 6, 2021, 4:05pm

That password has been leaked or an account has been inserted.

Stewart1 · June 6, 2021, 4:38pm

As this was only 2 days ago, you should still have /var/log/asterisk/full* and can see what happened at that time. Also, see whether these bogus extensions have actually been created.

If so, the only safe path may be to start over with a new installation and secure it properly.

Stewart1 · June 6, 2021, 6:02pm

I just noticed that +358457751160 is a valid Finland mobile number on DNA. If your system requires an initial 0 to dial external numbers and uses 00 as the international prefix, then 000358457751160 would be a valid number to dial on your system and may have been set up e.g. to forward calls to an associate’s mobile.

mgrue · June 6, 2021, 6:04pm

That was my first thought. My system got compromised and someone created lots of extensions. However, there is no trace of any suspicious activity other than those log statements.

I searched through all config files for those account numbers but there’s no trace.

Stewart1 · June 6, 2021, 6:12pm

Is there any entry in the Asterisk log at [2021-06-04 16:33:37]?

Does your organization have any connection to Finland?

Stewart1 · June 6, 2021, 6:13pm

Are these also valid numbers to call?

dicko · June 6, 2021, 6:37pm

That something can create accounts and use them without leaving a trace is concerning.

Please save a copy of that machine, there are likely some folks that would like to forensically analyse it.

mgrue · June 7, 2021, 7:27am

I have a suspicion that the issue is related to this:
https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass

I have updated all modules to the latest version. Now I’m trying to install the firewall module.

system · July 8, 2021, 7:27am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.