I'm fairly new to FreePBX/Asterisk/Trixbox, but have Googled myself into submission here, so any assistance is appreciated.
We had a user with a weak SIP secret recently that allowed it to be used by an outside user. The extension was 3799. I could see the intruder's calls (including the destination phone numbers) in the trixbox call report log. Because the extension was no longer used, I went ahead and deleted it, thinking that would solve the problem. I also discovered approximately the same time that the Asterisk Call Manager port was open to the outside world, which has since been closed. The web interface, ssh, etc. have never been exposed to the outside world. Since taking these actions, I restarted the asterisk server. Now, here's the issue. I don't think deleting the extension helped. Now I see entries like this in the reports log: Calldate Channel Source Clid Dst Disposition Duration 1. 2010-06-07 16:47:38 SIP/206.20... 3799 "asterisk" <3799> s ANSWERED 00:14 The "Dst" field being "s", where it used to be the phone number being dialed. How is this extension able to be used even after it has been deleted? Strangely, what I've done to keep the user out in the mean time is re-created the 3799 extension with a better secret. This results in log entries like the following: [Jun 7 17:04:16] NOTICE[7422] chan_sip.c: Failed to authenticate user "asterisk" <sip:[email protected]>;tag=as23bacb61 Why can sip:3799 connect and make calls when the extension doesn't exist? Is this person somehow using a "user" account? I've checked both /etc/asterisk and the MySQL tables and am not coming up with much. What does it mean that their destination is "s", not a phone number? Thanks for any assistance! J -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
