I'm guessing this is a small/home system? I suggest you install SecAst from this site: www.telium.ca It's free for small office / home office and will deal with these types of attacks and more. It can also block users based on their Geographic location (based on the phone number it attempted to dial I suspect this is middle east), look for suspicious dialing patterns, etc.
If you still have allow guest enabled, then you should also follow the 'securing asterisk' steps from this site: http://www.voip-info.org/wiki/view/Asterisk+security You're definitely under attack (based on the 0123456 ID) so be sure to take preventative steps to avoid a $50k phone bill.. ________________________________________ From: asterisk-users-boun...@lists.digium.com <asterisk-users-boun...@lists.digium.com> on behalf of Luca Bertoncello <lucab...@lucabert.de> Sent: Monday, June 8, 2015 3:46 PM To: Asterisk Users List Subject: [asterisk-users] Am I cracked? Hi list! Very strange... I ran the Asterisk CLI for other tasks, and suddenly I got this message: == Using SIP RTP CoS mark 5 -- Executing [000972592603325@default:1] Verbose("SIP/192.168.20.120-0000002a", "2,PROXY Call from 0123456 to 000972592603325") in new stack == PROXY Call from 0123456 to 000972592603325 -- Executing [000972592603325@default:2] Set("SIP/192.168.20.120-0000002a", "CHANNEL(musicclass)=default") in new stack -- Executing [000972592603325@default:3] GotoIf("SIP/192.168.20.120-0000002a", "0?dialluca") in new stack -- Executing [000972592603325@default:4] GotoIf("SIP/192.168.20.120-0000002a", "0?dialfax") in new stack -- Executing [000972592603325@default:5] GotoIf("SIP/192.168.20.120-0000002a", "0?dialanika") in new stack -- Executing [000972592603325@default:6] Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in new stack [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent) == Everyone is busy/congested at this time (1:0/0/1) -- Executing [000972592603325@default:7] Hangup("SIP/192.168.20.120-0000002a", "") in new stack == Spawn extension (default, 000972592603325, 7) exited non-zero on 'SIP/192.168.20.120-0000002a' [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: Retransmission timeout reached on transmission 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32001ms with no response At the time no phone try to call... On my Firewall I see a SIP packet coming from an IP in Palestine... Am I cracked? I think I disabled all "guest" access. How can I check if my Asterisk allows guest to originate calls? Thanks Luca Bertoncello (lucab...@lucabert.de) -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users