Unknown SIP Peers and IAX2 Peers

Hi there
I have recently noticed (no idea how long this has been the case I’m afraid) that there are a number of un-configured and un-expected SIP and IAX2 peers registered to our FreePBX.

An SIP peer example shows up as follows:
Name/username Host Dyn NAT ACL Port Status
9388765324/9388765324 (Unspecified) D N 0 Unmonitored

An IAX2 peer example:
Name/Username Host Mask Port Status
9576422161/9576 (Unspecified) (D) 0 Unmonitored

  1. We don’t have any IAX2 trunks in the first place so what does this mean?
  2. What could be causing/creating these SIP peer registrations?
    • is it malicious activity?
  3. Could someone explain for me what the following mean
    • Host = unspecified
    • Status = unmonitored

Please let me know if more info would be required.

Many thanks in advance

At some point someone gained access to your system and added extensions or trunks with the intentions of using your system.

Let me guess, the web interface is opened to the Internet?

Thanks for the reply…

OK… that sounds like it could be about right. Sometime before i joined the company they told me they had someone do that and dial up some expensive numbers. Do you think these are remnants from this?

IPtables is running on the server now so only a few external admins with a fixed IP address that i allow through can do anything on the server. Its also behind another FW but this has simple port forwarding on it.

Could you tell me how i remove these SIP and IAX2 peers please as they don’t show up on the web interface.
Also, is there a way of changing the port that the web interface is accessed on?

Many thanks for your help.

You have to find what files they put them in.

Do you understand how includes work?

Is this an old trixbox?

You have to look at what is “included” into sip.conf and iax.conf and follow the trail.

. . . and delete them from the asterisk database also, they might well be just there and nowhere else, this lines from bash should expose them all . . .

rasterisk -x ‘database show’|grep -E "9388|9576"
grep -E “9388|9576” /etc/asterisk/[‘iax’‘sip’‘exten’]*

thanks for the replies… i was away last week but will take a look at your suggestions right away and post back.

Very quickly to start however:
SkyKingOH i’m afraid i’m not familiar with “includes”. I’ve tried searching in the documentation but not found anything obvious. I will look into those file contents though.
It is an older installation that the previous guy said he didn’t want to change as “it worked fine”; but as i’m learning slowly i’m not keen to update the system just yet… much as i’d REALLY want to.

  • current version is Asterisk (Ver., FreePBX

Hi there, so having done some digging starting with SIP.conf and IAX.conf here’s what I’ve found:

  • i THINK its all OK and i just need to simply delete some file contents to tidy up, but i’d like to check with you guys.

[u]IAX Files[/u]
[]iax_custom.conf references additional_a2billing_iax.conf
] additional_a2billing_iax.conf has listed ALL the IAX peers I see defined in the web admin IAX peers list (that i dont know about or want)
[] do you want more info on these listings?
] can i delete these listings?
[]iax_general_additional.conf has various disallow/allow lines
] can i # these out as we dont use iax at all?

[u]SIP Files[/u]
[]Sip_additional.conf has listed all my expected trunks and extensions
]Sip_custom.conf references additional_a2billing_sip.conf
[] additional_a2billing_sip.conf has listed ALL the (“unspecified and unmonitored”) SIP peers I see defined in the web admin SIP peers list
] These are the peers I neither know anything about… or want and suspect were the hacked entries???
[*]Sip_registrations.conf contains the 4 expected SIP trunk details

One final question:
What is the additional_a2billing_xxx.conf file used for?

Hope this all makes sense.

Many thanks for the continued help

a2billing is another software package used to track usage and perform billing, calling cards. It is really a stand alone system but if you know what you are doing you can run it on the same box as FreePBX.

Have you shut off all Internet access to the system?

You system is very old.

Have you thought about engaging someone to help you?

Hi SkyKingOH

i think in terms of updating the system i’ll certainly look at getting some external help. it is indeed (embarrassingly) old!!!

As far as shutting off internet access to the system, is this an option as i need at the very least SIP and RTP transport/routing in and out to make the calls/create the trunks?

  • i AM however looking to change the FW so i can use VPN’s for remote users to connect to the server. This will tie things down more for sure.
  • Am i missing something though…? is there a better way of doing it than directing ONLY SIP traffic to the server and using a FW and IP tables to allow only selected fixed IP’s to get to the server?

Like i say, all of this IAX and unknown SIP peers stuff appears -i hope- to be remnants of an “old” hack from last year that i’d simply like to clean up. I want to try and get the system tidy before i start changing/updating too much.
Question - can i simply remove (# out) the reference to additional_a2billing_xxx.conf from each of the xxx_custom.conf files?

Many thanks

I recreated blank additional_a2billing_xxx.conf files, reloaded the SIP and restarted the Asterisk CLI and all the previously undesired peers have now nicely disappeared.

Having spoken with someone who was here when the previous hack occurred apparently the web portal was indeed left open :frowning: Thankfully not the case now though.

Thanks for you help with where to look to get rid of all of these.

Kind regards