after our trunk supplier informed me that lots of bogus numbers around the world had been called from our line I started investigating. in /var/log/asterisk/fail2ban I see many messages like this:
[2021-06-06 18:01:03] SECURITY res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2021-06-06T18:01:03.174-0400",Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“90013607353700",SessionID=“0x7f32dc89c8f0”,LocalAddress=“IPV4/UDP/184.108.40.206/5060",RemoteAddress=“IPV4/UDP/220.127.116.11/10654”,UsingPassword=“1"
The way I read this is that some user 90013607353700 has successfully logged into our system via SIP, right? Now the problem is that I don find any trace of that user anywhere. I went through all config files as well as the MySQL database and there’s nothing.
How exactly does the authentication mechanism work and where else can I look?
Thanks in advance!