Hi All, we’ve had a situation where our FreePBX have been compromised and some t**t used our system to make few phone calls. Since then we’ve changed all passwords, ssh connections are only available from local network, etc…
The pbx is behind the pfsense firewall, it’s up to date and all seems to be fine, except for some entries in the secure log of the centos.
[2014-12-14 19:58:39] SECURITY[20265] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“1418587119-143878”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“sip:209@81...",SessionID=“0x164a4178”,LocalAddress="IPV4/UDP/81.../5060”,RemoteAddress=“IPV4/UDP/69.30.254.10/5078”,Challenge=“5d55d1cf”
[2014-12-14 19:58:39] NOTICE[20298][C-00000257] chan_sip.c: Failed to authenticate device 209sip:[email protected];tag=78344e98
[2014-12-14 19:58:39] NOTICE[20298][C-00000257] chan_sip.c: Failed to authenticate device 209sip:[email protected];tag=78344e98
[2014-12-14 19:58:39] SECURITY[20265] res_security_log.c: SecurityEvent=“InvalidPassword”,EventTV=“1418587119-411500”,Severity=“Error”,Service=“SIP”,EventVersion=“2”,AccountID=“900972595144330”,SessionID=“0x164a4178”,LocalAddress=“IPV4/UDP/81...*/5060”,RemoteAddress=“IPV4/UDP/69.30.254.10/5078”,Challenge=“5d55d1cf”,ReceivedChallenge=“5d55d1cf”,ReceivedHash=“340659fe23f13581d2e5e4bac7dc301c”
This clearly doesn’t look right and looks like some one is still trying to do bad things to my system/bank account.
The AccountID is a premium phone number.
Device 209 does not exist on our network yet for some reason it’s trying to authenticate.
What else can we do?
Any help much appreciated.