Odd behaviour, hacked?

buttons · November 14, 2016, 1:47am

HI,
I have installed FreePBX (RasPBX) and had this running for about a week. I initially had SIP ports open to the web, but have since removed them from the firewall and rebooted the router.

I have added 4 extensions, inbound and outbound routes.

Looking at my CDR logs I see :

Call Date Recording System CallerID Outbound CallerID DID App Destination Disposition Duration Userfield Account CDR Table CDR Graph
2016-11-13 20:33:18 1479069198.19 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:33:08 1479069188.18 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:56 1479069176.17 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:45 1479069165.16 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:34 1479069154.15 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:25 1479069143.14 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:12 1479069132.13 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:10 1479069130.12 1000 Congestion s [from-sip-external] ANSWERED 00:12
2016-11-13 20:32:00 1479069120.11 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:49 1479069109.10 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:38 1479069098.9 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:26 1479069086.8 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:15 1479069075.7 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:04 1479069064.6 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:53 1479069053.5 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:42 1479069042.4 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:33 1479069031.3 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:20 1479069020.2 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:10 1479069010.1 1000 Congestion s [from-sip-external] ANSWERED 00:22
2016-11-13 20:30:09 1479069009.0 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:28:08 1479068885.3932 1000 Congestion s [from-sip-external] ANSWERED 00:10
2016-11-13 20:28:01 1479068881.3931 3000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:50 1479068870.3930 3000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:38 1479068858.3929 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:27 1479068847.3928 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:16 1479068836.3927 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:05 1479068825.3926 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:54 1479068813.3925 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:42 1479068802.3924 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:33 1479068791.3923 208 Answer s [from-sip-external] ANSWERED 00:00

I removed the SIP ports from the router 2-3 days ago but this activity is constant every 2 minutes, as there are no connections able to come in via the router/SIP ports - what is generating all these calls?

Assuming something is running as extension numbers seem to be varied and trying to call, though I have no idea where this now goes?

Firewall Logs:
Time and date Message
01:43:46, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:43:27, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:43:26, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:43:13, 14 Nov. OUT: BLOCK [53] Defragmentation failed (Fragmented packet, header too small: PROTO 128 Fragment 0.0.0.0->4.57.246.88 offset: 12800 on ath00)
01:41:17, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:41:17, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:39:37, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:39:11, 14 Nov. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.48]:54850->[151.101.16.133]:443 on ppp3)
01:39:11, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:37:13, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:37:06, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:36:23, 14 Nov. BLOCKED 1 more packets (because of Packet invalid in connection)
01:36:23, 14 Nov. IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [104.103.120.141]:80->[86.163.250.6]:50157 on ppp3)
01:35:05, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:35:03, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:33:01, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:33:01, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:32:08, 14 Nov. OUT: BLOCK [53] Defragmentation failed (Fragmented packet, packet too big: PROTO 128 Fragment 0.0.0.0->4.57.246.88 offset: 12800 on ath00)

The asterisk logs stop at 20:33 at which point I used the console to stop core services…

Just restarted the services and within seconds:

== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
– Executing [002011972599924158@from-sip-external:1] NoOp(“SIP/86.163.250.6-00000000”, “Received incoming SIP connection from unknown peer to 002011972599924158”) in new stack
– Executing [002011972599924158@from-sip-external:2] Set(“SIP/86.163.250.6-00000000”, “DID=002011972599924158”) in new stack
– Executing [002011972599924158@from-sip-external:3] Goto(“SIP/86.163.250.6-00000000”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [s@from-sip-external:1] GotoIf(“SIP/86.163.250.6-00000000”, “0?checklang:noanonymous”) in new stack
– Goto (from-sip-external,s,5)
– Executing [s@from-sip-external:5] Set(“SIP/86.163.250.6-00000000”, “TIMEOUT(absolute)=15”) in new stack
– Channel will hangup at 2016-11-14 02:05:04.420 GMT.
– Executing [s@from-sip-external:6] Log(“SIP/86.163.250.6-00000000”, "WARNING,“Rejecting unknown SIP connection from 91.121.73.154"”) in new stack
[2016-11-14 02:04:49] WARNING[8508][C-00000000]: Ext. s:6 @ from-sip-external: “Rejecting unknown SIP connection from 91.121.73.154”
– Executing [s@from-sip-external:7] Answer(“SIP/86.163.250.6-00000000”, “”) in new stack
– Executing [s@from-sip-external:8] Wait(“SIP/86.163.250.6-00000000”, “2”) in new stack
– Executing [s@from-sip-external:9] Playback(“SIP/86.163.250.6-00000000”, “ss-noservice”) in new stack
– <SIP/86.163.250.6-00000000> Playing ‘ss-noservice.ulaw’ (language ‘en’)
– Executing [s@from-sip-external:10] PlayTones(“SIP/86.163.250.6-00000000”, “congestion”) in new stack
– Executing [s@from-sip-external:11] Congestion(“SIP/86.163.250.6-00000000”, “5”) in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on ‘SIP/86.163.250.6-00000000’
– Executing [h@from-sip-external:1] Hangup(“SIP/86.163.250.6-00000000”, “”) in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/86.163.250.6-00000000’
[2016-11-14 02:05:21] WARNING[8472]: chan_sip.c:4061 retrans_pkt: Retransmission timeout reached on transmission b3192c4d9cf81f833431c76cd654e2a9 for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
raspbx*CLI>

Any advice appreciated… though I suppose I should re-install clean again…?

dcitelecom · November 14, 2016, 2:31am

Check that
’allow anonymous inbound SIP calls’ = NO
and
Allow SIP Guests = NO

Check also that you have a ‘catch all’ default inbound route

buttons · November 21, 2016, 10:33am

Hi, Thanks for the update. I checked. I think that setting is on a selector switch off the SIP_CHAN button. This is set to no. SIP Guests are also now off.

Currently external ports are closed and I reloaded the compete system just in-case there was something remnant there.

I am struggling to find somethings as before I ran Asterisk vanilla just with conf files that I created. With FreePBX you cant just exit the files as these are managed and overwritten.

cynjut · November 21, 2016, 4:53pm

What are you trying to do?

If you used to modify the extensions.conf file (for example), you will now need to edit one of the other extensions_*.conf files. For example, if you need to override something that FreePBX does in extensions.conf, there’s an *override* file. If you just need to add some custom code, there’s a *custom* file.

buttons · November 28, 2016, 6:47pm

Thanks for the replies. I am a little restricted as I am running a cutdown version on a rPI.

I had written a wakeup call script to be able to do wakeup calls, but since found there is a “hotel style wakeup calls” module which I have now installed on FreePBX.

Interestingly enough, although there has been no port forwarding on the router for a couple of weeks and the router was powered down/up again no-one should be able to get to this pbx externally.

However Fail2Ban is blocking IPs still! Latest one was from Poland.

Going to have to look at that Hub I think…