Strange entries in CDR report / System hacked?

I have just noticed lots of strange entries in CDR report.
Looks like extensions trying to establish connection but these are not extensions that exist on my system.

My extensions are in 80XX format and I do not know what 100, 2002, 2003 are.
Can someone please advise, has my system been hacked?

2013-01-02 11:05:45 1357124745.1480 SIP 8006 Dial 8009 SIP ANSWERED 00:38
2013-01-02 10:36:22 1357122982.1478 SIP 8010 Dial 8001 SIP ANSWERED 00:19
2013-01-02 10:11:17 1357121477.1476 SIP 8001 Dial 8010 SIP ANSWERED 09:11
2013-01-02 09:56:36 1357120596.1474 SIP 8001 Dial 8003 SIP ANSWERED 08:28
2013-01-02 09:34:13 1357119253.1472 SIP 8003 Dial 8001 SIP ANSWERED 00:20
2013-01-02 08:56:19 1357116979.1471 SIP 100 Wait s ANSWERED 00:00
2013-01-02 08:56:16 1357116976.1470 SIP 100 Wait s ANSWERED 00:01
2013-01-02 08:56:14 1357116974.1469 SIP 100 Answer s ANSWERED 00:01
2013-01-02 08:56:12 1357116972.1468 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:56:10 1357116970.1467 SIP 100 Wait s ANSWERED 00:00
2013-01-02 08:56:08 1357116968.1466 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:56:05 1357116965.1465 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:56:03 1357116963.1464 SIP 100 Answer s ANSWERED 00:01
2013-01-02 08:56:02 1357116962.1463 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:56:00 1357116960.1462 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:58 1357116958.1461 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:56 1357116956.1460 SIP 100 Answer s ANSWERED 00:01
2013-01-02 08:55:55 1357116955.1459 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:53 1357116953.1458 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:51 1357116951.1457 SIP 100 Answer s ANSWERED 00:01
2013-01-02 08:55:50 1357116950.1456 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:47 1357116947.1455 SIP 100 Wait s ANSWERED 00:01
2013-01-02 08:55:45 1357116945.1454 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:42 1357116942.1453 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:40 1357116940.1452 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:37 1357116937.1451 SIP 100 Answer s ANSWERED 00:01
2013-01-02 08:55:35 1357116935.1450 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:33 1357116933.1449 SIP 100 Answer s ANSWERED 00:00
2013-01-02 08:55:31 1357116931.1448 SIP 100 Answer s ANSWERED 00:01
2013-01-02 08:55:29 1357116929.1447 SIP 100 Answer s ANSWERED 00:01
Call Date Recording System Src Chan. Source DID App. Dest. Dst. Chan. Disposition Duration Userfield Account CDR Table CDR Graph
2013-01-02 06:56:28 1357109788.1446 SIP 2003 Answer s ANSWERED 00:00
2013-01-02 06:56:28 1357109788.1445 SIP 2003 Answer s ANSWERED 00:00
2013-01-02 06:56:27 1357109787.1444 SIP 2003 Answer s ANSWERED 00:00
2013-01-02 06:56:26 1357109786.1443 SIP 2003 Answer s ANSWERED 00:00
2013-01-02 06:56:25 1357109785.1442 SIP 2003 Answer s ANSWERED 00:01
2013-01-02 06:56:25 1357109785.1441 SIP 2003 Answer s ANSWERED 00:00
2013-01-02 06:56:24 1357109784.1440 SIP 2003 Answer s ANSWERED 00:00
2013-01-02 06:56:23 1357109783.1439 SIP 2003 Answer s ANSWERED 00:01
2013-01-02 06:40:25 1357108825.1438 SIP 2002 Answer s ANSWERED 00:00
2013-01-02 06:40:24 1357108824.1437 SIP 2002 Answer s ANSWERED 00:00
2013-01-02 06:40:23 1357108823.1436 SIP 2002 Answer s ANSWERED 00:00

Is your system connected to the Internet? Do you have a firewall?

Yes system is exposed to the Internet but behind firewall.
Also Fail2Ban is working on it.

Can anyone help?

are you using paging?

are you using ring groups?

are you using hints?

None of the above.

Just a minor input.
I too get visitors from time to time and all the hurt (that I’m aware of) is in the CDR. General settings/Allow Anonymous Inbound SIP Calls? is set to NO ofcourse but SIP settings/Allow SIP Guests is set to YES - so you see these.

Someone more into security might have a clearer explanation, but I stopped worrying about it when I could see the visitors were going nowhere.

I think you have it about right. Changing allow SIP guests to NO seems to get rid of a lot of this scanning activity showing up in CDR. However, using it as a default setting may not be a great idea because some Trunk providers won’t work with that setting. So you need to test it with your trunks first.

artarzi / mustardman

I have just changed Allow SIP Guest to No, hopefully this will get rid of the unwanted connection attempts.
Thank you guys for a hint.

Truthfully, if you have UDP/5060 open to the world, then don’t count on anything, there are so many holes in Asterisk and SIP still, that those buggers in Palestine,Egypt and the ubiquitous Chinese Universities, will still bug, you.

Use a properly configured firewall, and strive to not use 5060 for SIP . . .

And that seems to resolve my problem. No more strange login/call attempts.
Thank you guys.

dicko

I have my users connecting from few different countries over Internet (no VPN) how would you suggest I make my system secure?

Thanks in advance.

Sorry, I thought I suggested a way, maybe Use a properly configured firewall, and strive to not use 5060 for SIP . . .

I'm a bit new here but the advantia website talks a bit about SIPVicious and about openSIPS which might be helpful because they mention deploying it ahead of your asterisk box. Regardless, I would have to agree with everyone's comment about proper firewall configuration including using Fail2ban.