How to investigate a security breach?


(Mmgg) #1

Hi all,

after our trunk supplier informed me that lots of bogus numbers around the world had been called from our line I started investigating. in /var/log/asterisk/fail2ban I see many messages like this:

[2021-06-06 18:01:03] SECURITY[1188] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2021-06-06T18:01:03.174-0400",Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“90013607353700",SessionID=“0x7f32dc89c8f0”,LocalAddress=“IPV4/UDP/185.56.136.163/5060",RemoteAddress=“IPV4/UDP/185.209.178.28/10654”,UsingPassword=“1"

The way I read this is that some user 90013607353700 has successfully logged into our system via SIP, right? Now the problem is that I don find any trace of that user anywhere. I went through all config files as well as the MySQL database and there’s nothing.

How exactly does the authentication mechanism work and where else can I look?

Thanks in advance!


(Tom Ray) #2

Did you do the basics and look at the CDRs to see which account actually is making calls?


(system) closed #3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.