Hacked?

Hi!
I am running FreePBX 2.8.1.0 and are experience some strange lines in the log:

  1. 2011-01-27 18:17:21 SIP/194.28… asterisk “asterisk” s ANSWERED 00:13
  2. 2011-01-27 18:16:29 SIP/194.28… asterisk “asterisk” s ANSWERED 00:13
  3. 2011-01-27 18:02:27 SIP/66.232… test “test” s ANSWERED 00:01

I see that all of them are stopped with “s” in the destination field - but feel that it is a bit scary…

I use: fail2ban, long passwords consisting of letters and numbers on the extensions. The server is placed behind a firewall. I even turn off the http service on the server when I am not using it - just to be on the safe side.

The only way to manage the server is by ssh on a “strange” port - and then using RSA!

The info:

  • PBX in a Flash Version : 1.7.5.5
  • FreePBX Version : 2.8.0.4
  • Running Asterisk Version : Asterisk 1.6.2.9

Is it something to worry about? Do others see this kind of activity?

Thank you,
Jarle

Do you allow anonymous SIP connections? If so, what is the inbound route that handles them? (generally speaking, the Any DID/Any CID route)

If you are allowing anonymous SIP connections and the incoming call doesn’t match anything but the Any/Any, that’s where those calls are going. If you are disallowing anonymous SIP, those calls are going to “congestion”.

The “s” destination simply means that the call was routed to some context that uses the extension “s”. There are many of them within FreePBX. Look at your log file to find out what happened.

So to answer your question, no you probably were not hacked. I can’t speak for anyone else but I know I get several anonymous inbound calls a week, generally to weird destinations, from weird sources. Usually they’re trying to find a misconfigured PBX that will dial the call for them. (Hint: putting a trunk into the “from-internal” context in FreePBX would constitute a majorly misconfigured PBX that might allow a SIP scanner to make some calls at your expense.)

If I thought I was hacked, I’d connect to the asterisk box and monitor live asterisk connections. If YOU are not making or receiving any calls and it still shows activity (other than connecting to the itsp provider), then that may be an issue. I would also port ssh or some other port other than 22; change all passwords since this only takes a few minutes; read up on devicesandusers as opposed to extensions; call your ISP and see if they can check the activity logs for any activity like that (they may not be able to a) tell you that b) track it but its a start.

And I hope this goes without saying but retract any post or blog that publishes your asterisk box information.