Is this somone hacking my PBX or is this normal

Hi there please can you help me. I get these messages all the time and am just really concerned its someone or something hacking the PBX.

[2018-09-18 13:40:02] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:40:02.023+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x33772f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48666”,UsingPassword=“0”,SessionTV=“2018-09-18T13:40:02.023+0000”
[2018-09-18 13:40:24] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:40:24.685+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faea0043fe0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48670”,UsingPassword=“0”,SessionTV=“2018-09-18T13:40:24.685+0000”
[2018-09-18 13:41:00] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:41:00.058+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faeac4a1370”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48674”,UsingPassword=“0”,SessionTV=“2018-09-18T13:41:00.058+0000”
[2018-09-18 13:41:02] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:41:02.008+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faea8003750”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48678”,UsingPassword=“0”,SessionTV=“2018-09-18T13:41:02.008+0000”
[2018-09-18 13:41:02] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:41:02.014+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faeb4392ba0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48682”,UsingPassword=“0”,SessionTV=“2018-09-18T13:41:02.014+0000”
[2018-09-18 13:41:02] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:41:02.026+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faeb0c52f60”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48686”,UsingPassword=“0”,SessionTV=“2018-09-18T13:41:02.026+0000”
[2018-09-18 13:41:35] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:41:35.417+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faebc173cf0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48690”,UsingPassword=“0”,SessionTV=“2018-09-18T13:41:35.417+0000”
[2018-09-18 13:42:01] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:42:01.929+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faeb8bb0920”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48694”,UsingPassword=“0”,SessionTV=“2018-09-18T13:42:01.929+0000”
[2018-09-18 13:42:01] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:42:01.968+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x33772f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48702”,UsingPassword=“0”,SessionTV=“2018-09-18T13:42:01.968+0000”
[2018-09-18 13:42:01] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:42:01.976+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faec002a290”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48698”,UsingPassword=“0”,SessionTV=“2018-09-18T13:42:01.976+0000”
[2018-09-18 13:42:10] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:42:10.756+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faea0043fe0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48706”,UsingPassword=“0”,SessionTV=“2018-09-18T13:42:10.756+0000”
[2018-09-18 13:42:46] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:42:46.107+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faeac4a1370”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48710”,UsingPassword=“0”,SessionTV=“2018-09-18T13:42:46.107+0000”
[2018-09-18 13:43:01] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:43:01.840+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faea8003750”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48714”,UsingPassword=“0”,SessionTV=“2018-09-18T13:43:01.840+0000”
[2018-09-18 13:43:01] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:43:01.861+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faeb4392ba0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48718”,UsingPassword=“0”,SessionTV=“2018-09-18T13:43:01.861+0000”
[2018-09-18 13:43:01] SECURITY[2857] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-09-18T13:43:01.884+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7faeb0c52f60”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/48722”,UsingPassword=“0”,SessionTV=“2018-09-18T13:43:01.884+0000”

It looks like something is authenticating with the Asterisk Manager Interface (AMI). Are you using fop2 or another add-on? It looks to me like the attempts are successful, so if this was malicious my guess is that it would be too late, and that you would have already seen signs of a breach. Assuming you haven’t, then you’re probably OK.

Clues:

Coming from the local host …

… Successfully …

… logging into AMI …

… as the “Admin” user …

… to the AMI Interface.

This is all normal. These are probably your GUI updater logging in and updating the objects on the GUI screen.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.