A strange Incoming Call

Discussion in 'General' started by Mirko87, Jan 23, 2009.

  1. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Hi... before, this afternoon, I've got an incoming call from a strange number. After this, I've looked into the Statistics, and I've found this line:

    http://www.fileshost.com/download.php?id=C30B32FD1

    Like you can see, the Src. Channel is my IP Address.... Why this problem?

    Mirko
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Possibly the start of a malicious attack

    Make sure that you have denied anonymous sip calls in the general config, and for your safety make sure that your firewall only allows access to udp port 5060 from your voip provider(s) and any external extensions you have.

    1865xxx looks suspiciously Chinese (a common source of attacks) (but callerID is easily spoofed as is source IP,and really means nothing) I note that there a is no such dialplan with or without the initial 1 in Italy.

    And extension 101 woukd be the logical extension to start the attack from, if they get an answer it is so easy to then try and register with your server usually using 101 as the passcode, not that anyone would be so naive as to use the same extension as password though. Then on to ext. 102 if that failed etc.

    If they find a vacant ext. then they can make all the calls they want and you will pay for them.
     
  3. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Oh my god...

    This is an important issue. So that I have to disallow the anonimous SIP INBOUND CALLS?

    And, how can I see if they are using my PBX to make theirs calls?

    Thank you for the great help...

    Mirko
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    you would see the calls in the unembedded freepbx reports tab.

    and for example if you see calls from 101 that you don't recognize,
    sip show peer 101 would show on the "Reg. contact" line someone who is not you.

    anonymous sip calls are disabled by default and should stay that way unless for you have a very good reason, however as they spoofed your ip address in the sip headers, it is not anonymous, it is considered local, clever eh!

    but if you keep your firewall under control, use a modicum of sense with passwords, don't allow root ssh access etc., the "script kiddies" will just pass you by and go onto the next ip address.
     

Share This Page