Odd behaviour, hacked?

HI,
I have installed FreePBX (RasPBX) and had this running for about a week. I initially had SIP ports open to the web, but have since removed them from the firewall and rebooted the router.

I have added 4 extensions, inbound and outbound routes.

Looking at my CDR logs I see :

Call Date Recording System CallerID Outbound CallerID DID App Destination Disposition Duration Userfield Account CDR Table CDR Graph
2016-11-13 20:33:18 1479069198.19 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:33:08 1479069188.18 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:56 1479069176.17 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:45 1479069165.16 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:34 1479069154.15 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:25 1479069143.14 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:12 1479069132.13 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:10 1479069130.12 1000 Congestion s [from-sip-external] ANSWERED 00:12
2016-11-13 20:32:00 1479069120.11 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:49 1479069109.10 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:38 1479069098.9 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:26 1479069086.8 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:15 1479069075.7 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:04 1479069064.6 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:53 1479069053.5 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:42 1479069042.4 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:33 1479069031.3 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:20 1479069020.2 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:10 1479069010.1 1000 Congestion s [from-sip-external] ANSWERED 00:22
2016-11-13 20:30:09 1479069009.0 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:28:08 1479068885.3932 1000 Congestion s [from-sip-external] ANSWERED 00:10
2016-11-13 20:28:01 1479068881.3931 3000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:50 1479068870.3930 3000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:38 1479068858.3929 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:27 1479068847.3928 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:16 1479068836.3927 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:05 1479068825.3926 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:54 1479068813.3925 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:42 1479068802.3924 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:33 1479068791.3923 208 Answer s [from-sip-external] ANSWERED 00:00

I removed the SIP ports from the router 2-3 days ago but this activity is constant every 2 minutes, as there are no connections able to come in via the router/SIP ports - what is generating all these calls?

Assuming something is running as extension numbers seem to be varied and trying to call, though I have no idea where this now goes?

Firewall Logs:
Time and date Message
01:43:46, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254-​>224.0.0.22 on ptm0.101)
01:43:27, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6-​>224.0.0.22 on ppp3)
01:43:26, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254-​>224.0.0.22 on ptm0.101)
01:43:13, 14 Nov. OUT: BLOCK [53] Defragmentation failed (Fragmented packet, header too small: PROTO 128 Fragment 0.0.0.0-​>4.57.246.88 offset: 12800 on ath00)
01:41:17, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254-​>224.0.0.22 on ptm0.101)
01:41:17, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6-​>224.0.0.22 on ppp3)
01:39:37, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254-​>224.0.0.22 on ptm0.101)
01:39:11, 14 Nov. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.48]:54850-​>[151.101.16.133]:443 on ppp3)
01:39:11, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6-​>224.0.0.22 on ppp3)
01:37:13, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254-​>224.0.0.22 on ptm0.101)
01:37:06, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6-​>224.0.0.22 on ppp3)
01:36:23, 14 Nov. BLOCKED 1 more packets (because of Packet invalid in connection)
01:36:23, 14 Nov. IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [104.103.120.141]:80-​>[86.163.250.6]:50157 on ppp3)
01:35:05, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254-​>224.0.0.22 on ptm0.101)
01:35:03, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6-​>224.0.0.22 on ppp3)
01:33:01, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254-​>224.0.0.22 on ptm0.101)
01:33:01, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6-​>224.0.0.22 on ppp3)
01:32:08, 14 Nov. OUT: BLOCK [53] Defragmentation failed (Fragmented packet, packet too big: PROTO 128 Fragment 0.0.0.0-​>4.57.246.88 offset: 12800 on ath00)

The asterisk logs stop at 20:33 at which point I used the console to stop core services…

Just restarted the services and within seconds:

== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
– Executing [[email protected]:1] NoOp(“SIP/86.163.250.6-00000000”, “Received incoming SIP connection from unknown peer to 002011972599924158”) in new stack
– Executing [[email protected]:2] Set(“SIP/86.163.250.6-00000000”, “DID=002011972599924158”) in new stack
– Executing [[email protected]:3] Goto(“SIP/86.163.250.6-00000000”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [[email protected]:1] GotoIf(“SIP/86.163.250.6-00000000”, “0?checklang:noanonymous”) in new stack
– Goto (from-sip-external,s,5)
– Executing [[email protected]:5] Set(“SIP/86.163.250.6-00000000”, “TIMEOUT(absolute)=15”) in new stack
– Channel will hangup at 2016-11-14 02:05:04.420 GMT.
– Executing [[email protected]:6] Log(“SIP/86.163.250.6-00000000”, "WARNING,“Rejecting unknown SIP connection from 91.121.73.154"”) in new stack
[2016-11-14 02:04:49] WARNING[8508][C-00000000]: Ext. s:6 @ from-sip-external: “Rejecting unknown SIP connection from 91.121.73.154”
– Executing [[email protected]:7] Answer(“SIP/86.163.250.6-00000000”, “”) in new stack
– Executing [[email protected]:8] Wait(“SIP/86.163.250.6-00000000”, “2”) in new stack
– Executing [[email protected]:9] Playback(“SIP/86.163.250.6-00000000”, “ss-noservice”) in new stack
– <SIP/86.163.250.6-00000000> Playing ‘ss-noservice.ulaw’ (language ‘en’)
– Executing [[email protected]:10] PlayTones(“SIP/86.163.250.6-00000000”, “congestion”) in new stack
– Executing [[email protected]:11] Congestion(“SIP/86.163.250.6-00000000”, “5”) in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on ‘SIP/86.163.250.6-00000000’
– Executing [[email protected]:1] Hangup(“SIP/86.163.250.6-00000000”, “”) in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/86.163.250.6-00000000’
[2016-11-14 02:05:21] WARNING[8472]: chan_sip.c:4061 retrans_pkt: Retransmission timeout reached on transmission b3192c4d9cf81f833431c76cd654e2a9 for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
raspbx*CLI>

Any advice appreciated… though I suppose I should re-install clean again…?

Check that
’allow anonymous inbound SIP calls’ = NO
and
Allow SIP Guests = NO

Check also that you have a ‘catch all’ default inbound route

Hi, Thanks for the update. I checked. I think that setting is on a selector switch off the SIP_CHAN button. This is set to no. SIP Guests are also now off.

Currently external ports are closed and I reloaded the compete system just in-case there was something remnant there.

I am struggling to find somethings as before I ran Asterisk vanilla just with conf files that I created. With FreePBX you cant just exit the files as these are managed and overwritten.

What are you trying to do?

If you used to modify the extensions.conf file (for example), you will now need to edit one of the other extensions_*.conf files. For example, if you need to override something that FreePBX does in extensions.conf, there’s an *override* file. If you just need to add some custom code, there’s a *custom* file.

Thanks for the replies. I am a little restricted as I am running a cutdown version on a rPI.

I had written a wakeup call script to be able to do wakeup calls, but since found there is a “hotel style wakeup calls” module which I have now installed on FreePBX.

Interestingly enough, although there has been no port forwarding on the router for a couple of weeks and the router was powered down/up again no-one should be able to get to this pbx externally.

However Fail2Ban is blocking IPs still! Latest one was from Poland.

Going to have to look at that Hub I think… :angry: