Hacker? Please have a look at the short log

Shandley · April 28, 2022, 4:54pm

I think I have a hacker but not sure how to go about it.

I was watching the log and it has this instance in it every minute or so:

> 
>   == Using SIP RTP TOS bits 184
>   == Using SIP RTP CoS mark 5
>     -- Executing [009441519471676@from-sip-external:1] NoOp("SIP/110.12.65.33-00000021", "Received incoming SIP connection from unknown peer to 009441519471676") in new stack
>     -- Executing [009441519471676@from-sip-external:2] Set("SIP/110.12.65.33-00000021", "DID=009441519471676") in new stack
>     -- Executing [009441519471676@from-sip-external:3] Goto("SIP/110.12.65.33-00000021", "s,1") in new stack
>     -- Goto (from-sip-external,s,1)
>     -- Executing [s@from-sip-external:1] GotoIf("SIP/110.12.65.33-00000021", "0?checklang:noanonymous") in new stack
>     -- Goto (from-sip-external,s,5)
>     -- Executing [s@from-sip-external:5] Set("SIP/110.12.65.33-00000021", "TIMEOUT(absolute)=15") in new stack
> Channel will hangup at 2022-04-28 09:41:30.703 PDT.
>     -- Executing [s@from-sip-external:6] Answer("SIP/110.12.65.33-00000021", "") in new stack
>     -- Executing [s@from-sip-external:7] Wait("SIP/110.12.65.33-00000021", "2") in new stack
>     -- Executing [s@from-sip-external:8] Playback("SIP/110.12.65.33-00000021", "ss-noservice") in new stack
>     -- <SIP/110.12.65.33-00000021> Playing 'ss-noservice.ulaw' (language 'en')
>        > doing dnsmgr_lookup for 'norland.sip.telifon.com'
>     -- Executing [s@from-sip-external:9] PlayTones("SIP/110.12.65.33-00000021", "congestion") in new stack
>     -- Executing [s@from-sip-external:10] Congestion("SIP/110.12.65.33-00000021", "5") in new stack
>   == Spawn extension (from-sip-external, s, 10) exited non-zero on 'SIP/110.12.65.33-00000021'
>     -- Executing [h@from-sip-external:1] Hangup("SIP/110.12.65.33-00000021", "") in new stack
>   == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/110.12.65.33-00000021'
> [2022-04-28 09:41:47] WARNING[3098]: chan_sip.c:3641 retrans_pkt: Retransmission timeout reached on transmission 1450415242-1051076709-666283442 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response

I jumped on chanspy and I hear:
"SIP 70" (my parking lot extension). The number you have dialed is not in service. Please check the number and try again," then the beeping

I am 99.9% sure that one of our extensions is doing this. I only have 4 local sip phones, 2 remote sip phones, and 2 copper line phones. All but the remote phones are in reach. The 2 remote phones are at home and my wife says no activity as far as she can tell.

The sip extension "SIP/110.12.65.33-00000021 seems to climb 1 number every time it tries.
IE: 27,28,29,2a,2b,2c,2d,2e,2f

PLEASE NOTE: I changed the IP address (110.12.65.33) and user to my sip trunk (norland) for my security

lgaetz · April 28, 2022, 4:57pm

You have allow guests enabled in Asterisk SIP Settings and you are allowing untrusted access to the chan_sip signaling port, which will result in these types of calls. Suggest you disable guests and if possible lock down your firewall to trusted source IPs.

Shandley · April 28, 2022, 5:00pm

Thank you!
I’m 99% sure I had guests disabled in the SIP settings before. You are right.
I will have to play with the firewall.
I suppose I will have to change my admin passwords as well in the event they changed the guest setting that way.
Thanks again, especially for the lightning fast response. I am always open to suggestions if you have any followup

lgaetz · April 28, 2022, 5:04pm

Based only on what’s provided above, there is no exploit here. This is analogous to a stranger ringing the doorbell not jimmying the lock.

Shandley · April 28, 2022, 5:16pm

Thanks again. I am now getting this every minute. We do not have an extension of 200:

> [2022-04-28 10:14:00] NOTICE[3098]: chan_sip.c:22566 handle_request_invite: Sending fake auth rejection for device <sip:[email protected]>;tag=1555105607
> [2022-04-28 10:14:00] NOTICE[3098]: chan_sip.c:22566 handle_request_invite: Sending fake auth rejection for device <sip:[email protected]>;tag=1555105607
>        > doing dnsmgr_lookup for 'norland.sip.telifon.com'
>        > doing dnsmgr_lookup for 'norland.sip.telifon.com'

system · May 29, 2022, 5:17pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.