Mystery activity in CDR logs

sanook · October 10, 2012, 5:07pm

Checking in on the CDR reports from time to time and I find alot of unexplainable activity that seems to come in bursts from time to time.

Is this something to worry about? See below:

2012-10-05 23:19:08 1349500748.2459 SIP 100 Wait s ANSWERED 00:02
2012-10-05 23:19:07 1349500747.2458 SIP 100 Wait s ANSWERED 00:01
2012-10-05 23:19:06 1349500746.2457 SIP 100 Wait s ANSWERED 00:01
2012-10-05 23:19:04 1349500744.2456 SIP 100 Answer s ANSWERED 00:01
2012-10-05 23:19:03 1349500743.2455 SIP 100 Wait s ANSWERED 00:00
2012-10-05 23:19:01 1349500741.2454 SIP 100 Wait s ANSWERED 00:01
2012-10-05 23:19:00 1349500740.2453 SIP 100 Answer s ANSWERED 00:00
2012-10-05 23:18:59 1349500739.2452 SIP 100 Answer s ANSWERED 00:00
2012-10-05 22:58:08 1349499488.2451 SIP 101 Wait s ANSWERED 00:00
2012-10-05 22:58:06 1349499486.2450 SIP 101 Wait s ANSWERED 00:01
2012-10-05 22:58:05 1349499485.2449 SIP 101 Wait s ANSWERED 00:00
2012-10-05 22:58:03 1349499483.2448 SIP 101 Answer s ANSWERED 00:01
2012-10-05 22:58:02 1349499482.2447 SIP 101 Wait s ANSWERED 00:00
2012-10-05 22:58:00 1349499480.2446 SIP 101 Wait s ANSWERED 00:00
2012-10-05 22:57:58 1349499478.2445 SIP 101 Wait s ANSWERED 00:01
2012-10-05 22:57:57 1349499477.2444 SIP 101 Answer s ANSWERED 00:00
2012-10-05 22:57:55 1349499475.2443 SIP 101 Answer s ANSWERED 00:01
2012-10-05 22:57:54 1349499474.2442 SIP 101 Answer s ANSWERED 00:01
2012-10-05 22:57:53 1349499473.2441 SIP 101 Answer s ANSWERED 00:00
2012-10-05 22:57:50 1349499470.2440 SIP 101 Wait s ANSWERED 00:01
2012-10-05 22:57:49 1349499469.2439 SIP 101 Wait s ANSWERED 00:01
2012-10-05 22:57:48 1349499468.2438 SIP 101 Answer s ANSWERED 00:00
2012-10-05 22:57:46 1349499466.2437 SIP 101 Answer s ANSWERED 00:01
2012-10-05 22:57:45 1349499465.2436 SIP 101 Wait s ANSWERED 00:00
2012-10-05 17:53:05 1349481185.2435 SIP 1001 Answer s ANSWERED 00:01
2012-10-05 17:53:03 1349481183.2434 SIP 1001 Answer s ANSWERED 00:01
2012-10-05 17:53:02 1349481182.2433 SIP 1001 Answer s ANSWERED 00:00
2012-10-05 17:53:00 1349481180.2432 SIP 1001 Wait s ANSWERED 00:01
2012-10-05 17:52:59 1349481179.2431 SIP 1001 Wait s ANSWERED 00:00
Call Date Recording System Src Chan. Source DID App. Dest. Dst. Chan. Disposition Duration Userfield Account
2012-10-05 17:52:56 1349481176.2430 SIP 1001 Wait s ANSWERED 00:01
2012-10-05 17:52:55 1349481175.2429 SIP 1001 Answer s ANSWERED 00:00
2012-10-05 17:52:53 1349481173.2428 SIP 1001 Wait s ANSWERED 00:00
2012-10-05 17:52:52 1349481172.2427 SIP 1001 Answer s ANSWERED 00:00
2012-10-05 17:52:50 1349481170.2426 SIP 1001 Wait s ANSWERED 00:01
2012-10-05 17:52:49 1349481169.2425 SIP 1001 Answer s ANSWERED 00:00
2012-10-05 17:52:47 1349481167.2424 SIP 1001 Wait s ANSWERED 00:01
2012-10-05 17:52:20 1349481140.2423 SIP 1001 Wait s ANSWERED 00:01
2012-10-05 17:52:19 1349481139.2422 SIP 1001 Wait s ANSWERED 00:00
2012-10-05 17:52:18 1349481138.2421 SIP 1001 Answer s ANSWERED 00:00

dicko · October 10, 2012, 5:55pm

Yes, you have been compromised, probably a password issue with 100 101 and 1001 which always attracts attention.

Check more fully in /var/log/asterisk/full as to who is doing that and start applying basic security to your system.

sanook · October 10, 2012, 6:31pm

The odd thing is that those users do not exist on the system…

dicko · October 10, 2012, 6:42pm

Then unless you allow anonymous connections they should not give answer.

There are many posts around as to how to secure your system, I suggest we all need to do that, a firewall is your first line of defense.

tbagalini · December 12, 2012, 5:13am

I am seeing the same in my CDR - the pbx is secure, no allow anon. its weird, they do not seems to be calls.

2012-12-11 20:26:57 1355286417.168 SIP 1001 Answer s ANSWERED 00:00
2012-12-11 20:26:57 1355286417.167 SIP 101 Wait s ANSWERED 00:00
2012-12-11 20:26:56 1355286416.166 SIP 1001 Answer s ANSWERED 00:00
2012-12-11 20:26:55 1355286415.165 SIP 101 Answer s ANSWERED 00:01
2012-12-11 20:26:54 1355286414.164 SIP 1001 Answer s ANSWERED 00:01
2012-12-11 20:26:54 1355286414.163 SIP 101 Answer s ANSWERED 00:00
2012-12-11 20:26:53 1355286413.162 SIP 1001 Wait s ANSWERED 00:00
2012-12-11 20:26:52 1355286412.161 SIP 101 Answer s ANSWERED 00:01
2012-12-11 20:26:51 1355286411.160 SIP 101 Wait s ANSWERED 00:01
2012-12-11 20:26:51 1355286411.159 SIP 1001 Wait s ANSWERED 00:00
2012-12-11 20:26:50 1355286410.158 SIP 101 Answer s ANSWERED 00:00
2012-12-11 20:26:49 1355286409.157 SIP 1001 Answer s ANSWERED 00:01
2012-12-11 20:26:48 1355286408.155 SIP 101 Wait s ANSWERED 00:00
2012-12-11 20:26:48 1355286408.156 SIP 1001 Wait s ANSWERED 00:00
2012-12-11 20:26:46 1355286406.154 SIP 101 Answer s ANSWERED 00:01
2012-12-11 20:26:46 1355286406.153 SIP 1001 Answer s ANSWERED 00:01
2012-12-11 20:26:45 1355286405.152 SIP 1001 Answer s ANSWERED 00:00
2012-12-11 20:26:44 1355286404.151 SIP 101 Answer s ANSWERED 00:01
2012-12-11 20:26:43 1355286403.150 SIP 1001 Answer s ANSWERED 00:01
2012-12-11 20:26:43 1355286403.149 SIP 101 Answer s ANSWERED 00:00
2012-12-11 20:26:42 1355286402.148 SIP 1001 Answer s ANSWERED 00:00
2012-12-11 20:26:42 1355286402.147 SIP 101 Answer s ANSWERED 00:00
2012-12-11 20:26:40 1355286400.144 SIP 101 Congestion s ANSWERED 00:13
2012-12-11 20:26:40 1355286400.146 SIP 101 Answer s ANSWERED 00:01
2012-12-11 20:26:40 1355286400.145 SIP 1001 Answer s ANSWERED 00:01
2012-12-11 20:26:39 1355286399.143 SIP 1001 Answer s ANSWERED 00:00
2012-12-11 20:26:38 1355286398.142 SIP 101 Wait s ANSWERED 00:00

AdHominem · December 13, 2012, 7:36am

If I had to guess, I’d guess that these are intrusion attempts, where someone is attempting to send calls to [email protected] and then to [email protected], and so on. But, it also could be a bug.

Do you have your system exposed to the internet?