Started making calls by itself

keylogthis

Joined
Apr 11, 2009
Messages
9
Likes
0
Points
0
#1
I think my box has been compromised... Yesterday I checked the call logs and saw a bunch of calls that I did not make. People have been calling back from the numbers that it has been calling, but I haven't been able to talk to them yet to find out if it is giving them any type of message when it calls them. I don't understand how this could happen though. My box is setup behind the firewall in openwrt on my router and I didn't change any of the security settings in elastix.

Below you can see what it has been doing. I have removed my number.

2009-04-10 10:43:12 (my number) 18452365774 SIP/201-08518ac8 IAX2/callwithus-1413 NO ANSWER 0
2009-04-10 10:43:15 (my number) 18452365774 SIP/201-08518ac8 IAX2/callwithus-6072 ANSWERED 8
2009-04-10 10:43:37 (my number) 18452365774 SIP/201-08518ac8 IAX2/callwithus-6072 NO ANSWER 0
2009-04-10 10:43:48 (my number) 18452365774 SIP/201-08518ac8 IAX2/callwithus-11167 ANSWERED 27
2009-04-10 10:44:30 (my number) 18452365774 SIP/201-08518ac8 IAX2/callwithus-11167 NO ANSWER 0
2009-04-10 12:08:33 (my number) 13034275188 SIP/201-083f8d48 IAX2/callwithus-11906 ANSWERED 2
2009-04-10 12:08:45 (my number) 13034275188 SIP/201-083f8d48 IAX2/callwithus-11906 NO ANSWER 0
2009-04-10 12:08:33 (my number) 13034279498 SIP/201-08518ac8 IAX2/callwithus-11531 NO ANSWER 0
2009-04-10 12:09:18 (my number) 13034275866 SIP/201-0851a288 IAX2/callwithus-8643 NO ANSWER 0
2009-04-10 12:09:18 (my number) 13034278254 SIP/201-08518ac8 IAX2/callwithus-114 NO ANSWER 0
2009-04-10 12:10:03 (my number) 13034276312 SIP/201-08518ac8 IAX2/callwithus-5508 NO ANSWER 0
2009-04-10 12:10:40 (my number) 13034275390 SIP/201-0840ec88 IAX2/callwithus-13281 NO ANSWER 0
2009-04-10 12:10:40 (my number) 13034274932 SIP/201-08518ac8 IAX2/callwithus-1521 NO ANSWER 0
2009-04-10 12:11:25 (my number) 13034278574 SIP/201-083f8d48 IAX2/callwithus-1892 NO ANSWER 0
2009-04-10 12:10:25 (my number) 13034273495 SIP/201-0840d5a0 IAX2/callwithus-5220 ANSWERED 50
2009-04-10 12:11:37 (my number) 13034273495 SIP/201-0840d5a0 IAX2/callwithus-5220 NO ANSWER 0
2009-04-10 12:11:25 (my number) 13034276967 SIP/201-08407e30 IAX2/callwithus-1652 NO ANSWER 0
2009-04-10 12:12:57 (my number) 13034277296 SIP/201-08523380 IAX2/callwithus-9295 NO ANSWER 0
2009-04-10 12:12:56 (my number) 13034271429 SIP/201-0840bd60 IAX2/callwithus-4194 NO ANSWER 0
2009-04-10 12:13:42 (my number) 13034272295 SIP/201-0840d1b8 IAX2/callwithus-11478 NO ANSWER 0
2009-04-10 12:13:41 (my number) 13034275141 SIP/201-0851a928 IAX2/callwithus-5769 NO ANSWER 0
2009-04-10 12:12:12 (my number) 13034275053 SIP/201-08520298 IAX2/callwithus-9767 ANSWERED 74
2009-04-10 12:13:51 (my number) 13034275053 SIP/201-08520298 IAX2/callwithus-9767 NO ANSWER 0
2009-04-10 12:14:50 (my number) 13034278311 SIP/201-0840a7d0 IAX2/callwithus-11967 NO ANSWER 0
2009-04-10 12:14:50 (my number) 13034273405 SIP/201-083fcfd0 IAX2/callwithus-13790 NO ANSWER 0
2009-04-10 12:15:36 (my number) 13034277406 SIP/201-08520178 IAX2/callwithus-863 NO ANSWER 0
2009-04-10 12:12:12 (my number) 13034274587 SIP/201-08401058 IAX2/callwithus-10569 ANSWERED 201
2009-04-10 12:15:44 (my number) 13034274587 SIP/201-08401058 IAX2/callwithus-10569 NO ANSWER 0
2009-04-10 12:15:36 (my number) 13034278082 SIP/201-0851a288 IAX2/callwithus-14610 NO ANSWER 0
2009-04-10 12:16:21 (my number) 13034279025 SIP/201-0851a288 IAX2/callwithus-1336 NO ANSWER 0
2009-04-10 12:17:06 (my number) 13034274661 SIP/201-0851a288 IAX2/callwithus-5732 NO ANSWER 0
2009-04-10 12:17:06 (my number) 13034277912 SIP/201-08521348 IAX2/callwithus-7876 NO ANSWER 0
2009-04-10 12:17:52 (my number) 13034270183 SIP/201-0851a288 IAX2/callwithus-4197 NO ANSWER 0
2009-04-10 12:18:10 (my number) 13034277075 SIP/201-0851a288 IAX2/callwithus-5415 NO ANSWER 0
2009-04-10 12:18:10 (my number) 13034272946 SIP/201-083ffdb0 IAX2/callwithus-6249 NO ANSWER 0
2009-04-10 12:17:52 (my number) 13034272541 SIP/201-085211f0 IAX2/callwithus-4895 NO ANSWER 0
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
You have indeed been hijacked, Check the security forum, lookinto fail2ban and check the ip of the registered extension 201 , turn off anonymous sip connections if you don't need them. But that's all too late for this attack,
"sip show peers"
from the asterisk CLI will show whwer 201 is really at. then set the firewall up to drop that network

p.s.

see 201, was really a silly password for extension 201 ;)
 

keylogthis

Joined
Apr 11, 2009
Messages
9
Likes
0
Points
0
#3
Thanks. Is that the reason that they were able to make the calls? They guessed the extension/password combination and were able to register through my box from their location? That would make sense, because I just don't think that they could have actually gained root access to any machine on my network.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
Indeed, extension = password is like writing your pin on your atm card and posting it on youtube. (actually you can find on youtube/google the scripts used and how to use them, so you can do it yourself to other people and save yourself some money B) )

As I say, check out the security forum here.

as an eye opener,

from bash

ls -las /var/log/asterisk/full*

and look through the earliest "big" one
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,966
Messages
131,025
Members
17,676
Latest member
Ruddy
Top