Is my server hacked?

FreePBX Security
1

hi there, today i received this message in the FULL log file, do i need to worry about this.

[2021-10-10 09:47:27] ERROR[11606] pjproject: sip_transport.c Error processing 1218 bytes packet from UDP 92.42.109.98:8739 : PJSIP syntax error exception when parsing ‘Contact’ header on line 4 col 24: PJSIP syntax error exception when parsing ‘From’ header on line 6 col 21:
53 INVITE sip:900390237920793@myserverip:5080 SIP/2.0
54 Via: SIP/2.0/UDP 92.42.109.98:8739;branch=z9hG4bK2f6f7ce6-790e-8127-v14oh85997u9hm4i;rport
55 Max-Forwards: 70
56 Contact: sip:P@[email protected]:8739
57 To: sip:900390237920793@myserverip:5080
58 From: sip:P@[email protected]:8739;tag=apkle0n3vwy9jg8n
59 Call-ID: rrQMOGk0HrpIbKUwRNEfRMCy8DlHwAbof2OBvE3l
60 CSeq: 1 INVITE
61 User-Agent: Cisco-SIPGateway/IOS-12.x
62 Content-Type: application/sdp
63 Content-Length: 739
64
65 v=0
66 o=- 1551542923 1551542924 IN IP4 92.42.109.98
67 s=cisco-sipgateway/ios-12x
68 c=IN IP4 92.42.109.98
69 t=0 0
70 m=audio 20002 RTP/AVP 9 104 98 3 8 0 101 97 100 108 15 4 105 106 107 103 103 103 18
71 a=rtpmap:9 G722/8000
72 a=fmtp:9 bitrate=64000
73 a=rtpmap:104 G726-16/8000
74 a=rtpmap:98 iLBC/8000
75 a=fmtp:98 mode=20
76 a=rtpmap:3 GSM/8000
77 a=rtpmap:8 PCMA/8000
78 a=rtpmap:0 PCMU/8000
79 a=rtpmap:101 telephone-event/8000
80 a=rtpmap:97 SPEEX/8000
81 a=rtpmap:100 SPEEX/16000
82 a=rtpmap:108 SPEEX/32000
83 a=rtpmap:15 G728/8000
84 a=rtpmap:4 G723/8000
85 a=rtpmap:105 G726-24/8000
86 a=rtpmap:106 G726-32/8000
87 a=rtpmap:107 G726-40/8000
88 a=rtpmap:103 L16/8000
89 a=rtpmap:103 L16/44000
90 a=rtpmap:103 L16/44000
91 a=rtpmap:18 G729/8000
92 a=fmtp:18 annexb=no
93 a=sendrecv
94
95 – end of packet.

2

This is most likely an attempted attack, conceivably a misconfiguration of someone’s server; see
https://whois.domaintools.com/92.42.109.98
Palestine is a common source of attacks.
The error was related to pjsip not accepting an @ in the user field of the Contact header.

Depending on whether you have external extensions, etc., you could block SIP from unknown addresses with FreePBX firewall and/or your hardware firewall. Otherwise, you shouldn’t get many of these if the attacker got blocked by fail2ban.

1 Like
3

i dont have many of these attack, can i block ip with /24 on the BLACKLIST TAB or its just with single ip that i can add, thanks

4

You should only use blacklists to the extent that it is not possible to white list.

5

i am thinking to block all of the country except usa, that way i might be more secure, what do you think

6

Sure you can. But you should notice that the country of origin of an IP address isn’t necessarily the same country the attack comes from. Depending on the routing you could also block yourself with that.

8

Are you listening on UDP/5000-5999 to the world?

5080 is the ‘standard port’ for FreeSwitch so comes quite high on the lisy of low-hanging ports.

9

What does that even mean? You care to provide some context with that statement?

10

If that is a scanner/hacker it’s the stupidest one I have seen.

You don’t need an SDP with 19 codec offers just to probe a system.

Nor would you try to scan with a malformed contact header.

Are you sure it’s not one of your own users/devices misconfigured?

11

yes 5080

12

Why did you choose 5080 ? it is a ‘well known port’ for SIP penetration

13

yes i am sure that is not my user

14

well i dont know i wasnt sure what number to choose

16

I’m not sure how a hack that was specific to Exchange servers focusing on stealing email and that has had a fix for 7 months is related to this.

17

Did you read the article??

“In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.”

18

Hard to be empirical, but over the years I have seen +99.9% probes coming in from UDP/5000-5099 . That leaves you over 60000 more choices and at least two other protocols, choose wisely and you will get significantly less noise. Add a port scan and port flood rule to your iptables against that chosen port and you will feel like the Maytag repairman :slight_smile:

1 Like
19

The fact I cited information from that article, yes I did. So now they hacked Exchange servers and setup SIP clients on them?

More likely this is some script kiddie running Kali linux and sipp trying to probe SIP servers.

20

i thought maybe it doesn’t matter because hackers scans all ports 65535, but i will plan to change that port to 5 digit instead of 5080

21

If your firewall allows any IP to scan 65000 ports or anynumber of IP’s to scan any one port that you use more than a few per second without doing something about it, I would suggest your firewall is pretty lame.

1 Like
22

Little surprised we’re having this discussion. The idea is you employ other people’s servers in the U.S. to run attack scripts targeting VoIP servers elsewhere, NOT on the Exchange server. I was simply giving you one of many examples of compromised U.S. IP addresses. Perhaps you’ve heard of Solarwinds?