Started making calls by itself

Discussion in 'General' started by keylogthis, Apr 11, 2009.

  1. keylogthis

    Joined:
    Apr 11, 2009
    Messages:
    9
    Likes Received:
    0
    I think my box has been compromised... Yesterday I checked the call logs and saw a bunch of calls that I did not make. People have been calling back from the numbers that it has been calling, but I haven't been able to talk to them yet to find out if it is giving them any type of message when it calls them. I don't understand how this could happen though. My box is setup behind the firewall in openwrt on my router and I didn't change any of the security settings in elastix.

    Below you can see what it has been doing. I have removed my number.

     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    You have indeed been hijacked, Check the security forum, lookinto fail2ban and check the ip of the registered extension 201 , turn off anonymous sip connections if you don't need them. But that's all too late for this attack,
    "sip show peers"
    from the asterisk CLI will show whwer 201 is really at. then set the firewall up to drop that network

    p.s.

    see 201, was really a silly password for extension 201 ;)
     
  3. keylogthis

    Joined:
    Apr 11, 2009
    Messages:
    9
    Likes Received:
    0
    Thanks. Is that the reason that they were able to make the calls? They guessed the extension/password combination and were able to register through my box from their location? That would make sense, because I just don't think that they could have actually gained root access to any machine on my network.
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Indeed, extension = password is like writing your pin on your atm card and posting it on youtube. (actually you can find on youtube/google the scripts used and how to use them, so you can do it yourself to other people and save yourself some money B) )

    As I say, check out the security forum here.

    as an eye opener,

    from bash

    ls -las /var/log/asterisk/full*

    and look through the earliest "big" one
     

Share This Page