How to investigate a security breach?

Hi all,

after our trunk supplier informed me that lots of bogus numbers around the world had been called from our line I started investigating. in /var/log/asterisk/fail2ban I see many messages like this:

[2021-06-06 18:01:03] SECURITY[1188] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2021-06-06T18:01:03.174-0400",Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“90013607353700",SessionID=“0x7f32dc89c8f0”,LocalAddress=“IPV4/UDP/",RemoteAddress=“IPV4/UDP/”,UsingPassword=“1"

The way I read this is that some user 90013607353700 has successfully logged into our system via SIP, right? Now the problem is that I don find any trace of that user anywhere. I went through all config files as well as the MySQL database and there’s nothing.

How exactly does the authentication mechanism work and where else can I look?

Thanks in advance!

Did you do the basics and look at the CDRs to see which account actually is making calls?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.