Re: [on-asterisk] Asterisk Log File - Suspect Entries

Henry Coleman Wed, 07 Mar 2012 07:49:38 -0800

On Wed, Mar 7, 2012 at 12:01 AM, Chuck Mariotti <[email protected]>wrote:


> I have been trying to solve a problem with a trunk throughout the day. In
> an attempt to resolve this I enabled/disabled a lot of stuff on the
> Asterisk box. I finally fixed the problem and went online tonight to set
> things back to normal... I noticed a handful of call attempts (when the
> office should  be empty) and looked into the logs. I found the following
> log entries of interest (see below, had to chop the log file due to mail
> list 30000 byte limit).
>
> Can someone explain to me what is going on exactly (To me it looks like
> they are testing the fences but maybe I'm missing something?) What is best
> to use to stop? I was assuming it's related to the "Allow SIP Guests =3D
> YES" option, but I'm second guessing myself.  Is there a way to find out
> where the attempt is being made from exactly (IP Addresses?)
>
> [1:22:43] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184
> [1:22:43] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5
> [1:22:43] VERBOSE[30832] pbx.c: -- Executing
> [972599560281@from-sip-external:1] NoOp("SIP/172.172.172.100-00001ad4",
> "Received incoming SIP connection from unknown peer to 972599560281") in
> new stack
> [1:22:43] VERBOSE[30832] pbx.c: -- Executing
> [972599560281@from-sip-external:2] Set("SIP/172.172.172.100-00001ad4",
> "DID=972599560281") in new stack
> [1:22:43] VERBOSE[30832] pbx.c: -- Executing
> [972599560281@from-sip-external:3] Goto("SIP/172.172.172.100-00001ad4",
> "s,1") in new stack
> [1:22:43] VERBOSE[30832] pbx.c: -- Goto (from-sip-external,s,1)
> [1:22:43] VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:1]
> GotoIf("SIP/172.172.172.100-00001ad4", "0?checklang:noanonymous") in new
> stack
> [1:22:43] VERBOSE[30832] pbx.c: -- Goto (from-sip-external,s,5)
> [1:22:43] VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:5]
> Set("SIP/172.172.172.100-00001ad4", "TIMEOUT(absolute)=15") in new stack
> [1:22:43] VERBOSE[30832] func_timeout.c: Channel will hangup at 2012-03-06
> 21:22:58.141 EST.
> [1:22:43] VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:6]
> Answer("SIP/172.172.172.100-00001ad4", "") in new stack
> [1:22:43] VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:7]
> Wait("SIP/172.172.172.100-00001ad4", "2") in new stack
> [1:22:45] VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:8]
> Playback("SIP/172.172.172.100-00001ad4", "ss-noservice") in new stack
> [1:22:45] VERBOSE[30832] file.c: -- <SIP/172.172.172.100-00001ad4> Playing
> 'ss-noservice.gsm' (language 'en')
> [1:22:50] VERBOSE[30832] pbx.c: == Spawn extension (from-sip-external, s,
> 8) exited non-zero on 'SIP/172.172.172.100-00001ad4'
> [1:22:50] VERBOSE[30832] pbx.c: -- Executing [h@from-sip-external:1]
> Hangup("SIP/172.172.172.100-00001ad4", "") in new stack
> [1:22:50] VERBOSE[30832] pbx.c: == Spawn extension (from-sip-external, h,
> 1) exited non-zero on 'SIP/172.172.172.100-00001ad4'
> [1:23:11] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184
> [1:23:11] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5
> [1:23:11] VERBOSE[30833] pbx.c: -- Executing 
> [011972599560281@from-sip-external:1]
> NoOp("SIP/172.172.172.100-00001ad5", "Received incoming SIP connection from
> unknown peer to 011972599560281") in new stack
> [1:23:11] VERBOSE[30833] pbx.c: -- Executing 
> [011972599560281@from-sip-external:2]
> Set("SIP/172.172.172.100-00001ad5", "DID=011972599560281") in new stack
> [1:23:11] VERBOSE[30833] pbx.c: -- Executing 
> [011972599560281@from-sip-external:3]
> Goto("SIP/172.172.172.100-00001ad5", "s,1") in new stack
> [1:23:11] VERBOSE[30833] pbx.c: -- Goto (from-sip-external,s,1)
> [1:23:11] VERBOSE[30833] pbx.c: -- Executing [s@from-sip-external:1]
> GotoIf("SIP/172.172.172.100-00001ad5", "0?checklang:noanonymous") in new
> stack
> [1:23:11] VERBOSE[30833] pbx.c: -- Goto (from-sip-external,s,5)
> [1:23:11] VERBOSE[30833] pbx.c: -- Executing [s@from-sip-external:5]
> Set("SIP/172.172.172.100-00001ad5", "TIMEOUT(absolute)=15") in new stack
> [1:23:11] VERBOSE[30833] func_timeout.c: Channel will hangup at 2012-03-06
> 21:23:26.501 EST.
> [1:23:11] VERBOSE[30833] pbx.c: -- Executing [s@from-sip-external:6]
> Answer("SIP/172.172.172.100-00001ad5", "") in new stack
> [1:23:12] VERBOSE[30833] pbx.c: -- Executing [s@from-sip-external:7]
> Wait("SIP/172.172.172.100-00001ad5", "2") in new stack
> [1:23:12] VERBOSE[30833] pbx.c: == Spawn extension (from-sip-external, s,
> 7) exited non-zero on 'SIP/172.172.172.100-00001ad5'
> [1:23:12] VERBOSE[30833] pbx.c: -- Executing [h@from-sip-external:1]
> Hangup("SIP/172.172.172.100-00001ad5", "") in new stack
> [1:23:12] VERBOSE[30833] pbx.c: == Spawn extension (from-sip-external, h,
> 1) exited non-zero on 'SIP/172.172.172.100-00001ad5'
> [1:23:21] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184
> [1:23:21] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5
> [1:23:21] VERBOSE[30834] pbx.c: -- Executing
> [9011972599560281@from-sip-external:1]
> NoOp("SIP/172.172.172.100-00001ad6", "Received incoming SIP connection from
> unknown peer to 9011972599560281") in new stack
> [1:23:21] VERBOSE[30834] pbx.c: -- Executing
> [9011972599560281@from-sip-external:2]
> Set("SIP/172.172.172.100-00001ad6", "DID=9011972599560281") in new stack
> [1:23:21] VERBOSE[30834] pbx.c: -- Executing
> [9011972599560281@from-sip-external:3]
> Goto("SIP/172.172.172.100-00001ad6", "s,1") in new stack
> [1:23:21] VERBOSE[30834] pbx.c: -- Goto (from-sip-external,s,1)
> [1:23:21] VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:1]
> GotoIf("SIP/172.172.172.100-00001ad6", "0?checklang:noanonymous") in new
> stack
> [1:23:21] VERBOSE[30834] pbx.c: -- Goto (from-sip-external,s,5)
> [1:23:21] VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:5]
> Set("SIP/172.172.172.100-00001ad6", "TIMEOUT(absolute)=15") in new stack
> [1:23:21] VERBOSE[30834] func_timeout.c: Channel will hangup at 2012-03-06
> 21:23:36.811 EST.
> [1:23:21] VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:6]
> Answer("SIP/172.172.172.100-00001ad6", "") in new stack
> [1:23:22] VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:7]
> Wait("SIP/172.172.172.100-00001ad6", "2") in new stack
> [1:23:24] VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:8]
> Playback("SIP/172.172.172.100-00001ad6", "ss-noservice") in new stack
> [1:23:24] VERBOSE[30834] file.c: -- <SIP/172.172.172.100-00001ad6> Playing
> 'ss-noservice.gsm' (language 'en')
> [1:23:27] VERBOSE[30834] pbx.c: == Spawn extension (from-sip-external, s,
> 8) exited non-zero on 'SIP/172.172.172.100-00001ad6'
> [1:23:27] VERBOSE[30834] pbx.c: -- Executing [h@from-sip-external:1]
> Hangup("SIP/172.172.172.100-00001ad6", "") in new stack
> [1:23:27] VERBOSE[30834] pbx.c: == Spawn extension (from-sip-external, h,
> 1) exited non-zero on 'SIP/172.172.172.100-00001ad6'
> [1:23:52] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184
> [1:23:52] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5
> [1:23:52] VERBOSE[30838] pbx.c: -- Executing 
> [011972599560281@from-sip-external:1]
> NoOp("SIP/172.172.172.100-00001ad7", "Received incoming SIP connection from
> unknown peer to 011972599560281") in new stack
> [1:23:52] VERBOSE[30838] pbx.c: -- Executing 
> [011972599560281@from-sip-external:2]
> Set("SIP/172.172.172.100-00001ad7", "DID=011972599560281") in new stack
> [1:23:52] VERBOSE[30838] pbx.c: -- Executing 
> [011972599560281@from-sip-external:3]
> Goto("SIP/172.172.172.100-00001ad7", "s,1") in new stack
> [1:23:52] VERBOSE[30838] pbx.c: -- Goto (from-sip-external,s,1)
> [1:23:52] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:1]
> GotoIf("SIP/172.172.172.100-00001ad7", "0?checklang:noanonymous") in new
> stack
> [1:23:52] VERBOSE[30838] pbx.c: -- Goto (from-sip-external,s,5)
> [1:23:52] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:5]
> Set("SIP/172.172.172.100-00001ad7", "TIMEOUT(absolute)=15") in new stack
> [1:23:52] VERBOSE[30838] func_timeout.c: Channel will hangup at 2012-03-06
> 21:24:07.150 EST.
> [1:23:52] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:6]
> Answer("SIP/172.172.172.100-00001ad7", "") in new stack
> [1:23:52] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:7]
> Wait("SIP/172.172.172.100-00001ad7", "2") in new stack
> [1:23:54] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:8]
> Playback("SIP/172.172.172.100-00001ad7", "ss-noservice") in new stack
> [1:23:54] VERBOSE[30838] file.c: -- <SIP/172.172.172.100-00001ad7> Playing
> 'ss-noservice.gsm' (language 'en')
> [1:23:59] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:9]
> PlayTones("SIP/172.172.172.100-00001ad7", "congestion") in new stack
> [1:23:59] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:10]
> Congestion("SIP/172.172.172.100-00001ad7", "5") in new stack
> LOGFILE CHOPPED HERE
>


This is interesting... initially it seems he is trying to call a number in
Plano Texas but then adds 011 to the number which would then try and dial
Israel.
About a year ago I left the gate open for guests (by mistake) and had 9
calls to Vietnam at 7am in the morning before I could stop it
IMHO never leave the box open to guests and use a seriously secure
password/secret on the phones.

In the last attempt he is trying to spoof sip extension 172 with a password
of 172 and display name 172

H

-- 
* Henry L. Coleman *
*VoIP-PBX.ca  Dragnetics.com <http://dragnetics.com>*

Re: [on-asterisk] Asterisk Log File - Suspect Entries

Reply via email to