A strange Incoming Call

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#1
Hi... before, this afternoon, I've got an incoming call from a strange number. After this, I've looked into the Statistics, and I've found this line:

http://www.fileshost.com/download.php?id=C30B32FD1

Like you can see, the Src. Channel is my IP Address.... Why this problem?

Mirko
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
Possibly the start of a malicious attack

Make sure that you have denied anonymous sip calls in the general config, and for your safety make sure that your firewall only allows access to udp port 5060 from your voip provider(s) and any external extensions you have.

1865xxx looks suspiciously Chinese (a common source of attacks) (but callerID is easily spoofed as is source IP,and really means nothing) I note that there a is no such dialplan with or without the initial 1 in Italy.

And extension 101 woukd be the logical extension to start the attack from, if they get an answer it is so easy to then try and register with your server usually using 101 as the passcode, not that anyone would be so naive as to use the same extension as password though. Then on to ext. 102 if that failed etc.

If they find a vacant ext. then they can make all the calls they want and you will pay for them.
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#3
Oh my god...

This is an important issue. So that I have to disallow the anonimous SIP INBOUND CALLS?

And, how can I see if they are using my PBX to make theirs calls?

Thank you for the great help...

Mirko
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
you would see the calls in the unembedded freepbx reports tab.

and for example if you see calls from 101 that you don't recognize,
sip show peer 101 would show on the "Reg. contact" line someone who is not you.

anonymous sip calls are disabled by default and should stay that way unless for you have a very good reason, however as they spoofed your ip address in the sip headers, it is not anonymous, it is considered local, clever eh!

but if you keep your firewall under control, use a modicum of sense with passwords, don't allow root ssh access etc., the "script kiddies" will just pass you by and go onto the next ip address.
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,981
Messages
131,060
Members
17,703
Latest member
elvis martinez
Top