Just for interest... I opened two other servers last night and within an hour, they all were attacked in the exact same fashion.
-----Original Message----- From: Henry Coleman [mailto:[email protected]] Sent: March-07-12 10:50 AM To: TAUG Technical Subject: Re: [on-asterisk] Asterisk Log File - Suspect Entries On Wed, Mar 7, 2012 at 12:01 AM, Chuck Mariotti <[email protected]>wrote: > I have been trying to solve a problem with a trunk throughout the day. > In an attempt to resolve this I enabled/disabled a lot of stuff on the > Asterisk box. I finally fixed the problem and went online tonight to > set things back to normal... I noticed a handful of call attempts > (when the office should be empty) and looked into the logs. I found > the following log entries of interest (see below, had to chop the log > file due to mail list 30000 byte limit). > > Can someone explain to me what is going on exactly (To me it looks > like they are testing the fences but maybe I'm missing something?) > What is best to use to stop? I was assuming it's related to the "Allow > SIP Guests =3D YES" option, but I'm second guessing myself. Is there > a way to find out where the attempt is being made from exactly (IP > Addresses?) > > [1:22:43] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184 > [1:22:43] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5 > [1:22:43] VERBOSE[30832] pbx.c: -- Executing > [972599560281@from-sip-external:1] > NoOp("SIP/172.172.172.100-00001ad4", > "Received incoming SIP connection from unknown peer to 972599560281") > in new stack [1:22:43] VERBOSE[30832] pbx.c: -- Executing > [972599560281@from-sip-external:2] Set("SIP/172.172.172.100-00001ad4", > "DID=972599560281") in new stack > [1:22:43] VERBOSE[30832] pbx.c: -- Executing > [972599560281@from-sip-external:3] > Goto("SIP/172.172.172.100-00001ad4", > "s,1") in new stack > [1:22:43] VERBOSE[30832] pbx.c: -- Goto (from-sip-external,s,1) > [1:22:43] VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:1] > GotoIf("SIP/172.172.172.100-00001ad4", "0?checklang:noanonymous") in > new stack [1:22:43] VERBOSE[30832] pbx.c: -- Goto > (from-sip-external,s,5) [1:22:43] VERBOSE[30832] pbx.c: -- Executing > [s@from-sip-external:5] Set("SIP/172.172.172.100-00001ad4", > "TIMEOUT(absolute)=15") in new stack [1:22:43] VERBOSE[30832] > func_timeout.c: Channel will hangup at 2012-03-06 > 21:22:58.141 EST. > [1:22:43] VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:6] > Answer("SIP/172.172.172.100-00001ad4", "") in new stack [1:22:43] > VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:7] > Wait("SIP/172.172.172.100-00001ad4", "2") in new stack [1:22:45] > VERBOSE[30832] pbx.c: -- Executing [s@from-sip-external:8] > Playback("SIP/172.172.172.100-00001ad4", "ss-noservice") in new stack > [1:22:45] VERBOSE[30832] file.c: -- <SIP/172.172.172.100-00001ad4> > Playing 'ss-noservice.gsm' (language 'en') [1:22:50] VERBOSE[30832] > pbx.c: == Spawn extension (from-sip-external, s, > 8) exited non-zero on 'SIP/172.172.172.100-00001ad4' > [1:22:50] VERBOSE[30832] pbx.c: -- Executing [h@from-sip-external:1] > Hangup("SIP/172.172.172.100-00001ad4", "") in new stack [1:22:50] > VERBOSE[30832] pbx.c: == Spawn extension (from-sip-external, h, > 1) exited non-zero on 'SIP/172.172.172.100-00001ad4' > [1:23:11] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184 > [1:23:11] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5 > [1:23:11] VERBOSE[30833] pbx.c: -- Executing > [011972599560281@from-sip-external:1] > NoOp("SIP/172.172.172.100-00001ad5", "Received incoming SIP connection > from unknown peer to 011972599560281") in new stack [1:23:11] > VERBOSE[30833] pbx.c: -- Executing > [011972599560281@from-sip-external:2] > Set("SIP/172.172.172.100-00001ad5", "DID=011972599560281") in new > stack [1:23:11] VERBOSE[30833] pbx.c: -- Executing > [011972599560281@from-sip-external:3] > Goto("SIP/172.172.172.100-00001ad5", "s,1") in new stack [1:23:11] > VERBOSE[30833] pbx.c: -- Goto (from-sip-external,s,1) [1:23:11] > VERBOSE[30833] pbx.c: -- Executing [s@from-sip-external:1] > GotoIf("SIP/172.172.172.100-00001ad5", "0?checklang:noanonymous") in > new stack [1:23:11] VERBOSE[30833] pbx.c: -- Goto > (from-sip-external,s,5) [1:23:11] VERBOSE[30833] pbx.c: -- Executing > [s@from-sip-external:5] Set("SIP/172.172.172.100-00001ad5", > "TIMEOUT(absolute)=15") in new stack [1:23:11] VERBOSE[30833] > func_timeout.c: Channel will hangup at 2012-03-06 > 21:23:26.501 EST. > [1:23:11] VERBOSE[30833] pbx.c: -- Executing [s@from-sip-external:6] > Answer("SIP/172.172.172.100-00001ad5", "") in new stack [1:23:12] > VERBOSE[30833] pbx.c: -- Executing [s@from-sip-external:7] > Wait("SIP/172.172.172.100-00001ad5", "2") in new stack [1:23:12] > VERBOSE[30833] pbx.c: == Spawn extension (from-sip-external, s, > 7) exited non-zero on 'SIP/172.172.172.100-00001ad5' > [1:23:12] VERBOSE[30833] pbx.c: -- Executing [h@from-sip-external:1] > Hangup("SIP/172.172.172.100-00001ad5", "") in new stack [1:23:12] > VERBOSE[30833] pbx.c: == Spawn extension (from-sip-external, h, > 1) exited non-zero on 'SIP/172.172.172.100-00001ad5' > [1:23:21] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184 > [1:23:21] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5 > [1:23:21] VERBOSE[30834] pbx.c: -- Executing > [9011972599560281@from-sip-external:1] > NoOp("SIP/172.172.172.100-00001ad6", "Received incoming SIP connection > from unknown peer to 9011972599560281") in new stack [1:23:21] > VERBOSE[30834] pbx.c: -- Executing > [9011972599560281@from-sip-external:2] > Set("SIP/172.172.172.100-00001ad6", "DID=9011972599560281") in new > stack [1:23:21] VERBOSE[30834] pbx.c: -- Executing > [9011972599560281@from-sip-external:3] > Goto("SIP/172.172.172.100-00001ad6", "s,1") in new stack [1:23:21] > VERBOSE[30834] pbx.c: -- Goto (from-sip-external,s,1) [1:23:21] > VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:1] > GotoIf("SIP/172.172.172.100-00001ad6", "0?checklang:noanonymous") in > new stack [1:23:21] VERBOSE[30834] pbx.c: -- Goto > (from-sip-external,s,5) [1:23:21] VERBOSE[30834] pbx.c: -- Executing > [s@from-sip-external:5] Set("SIP/172.172.172.100-00001ad6", > "TIMEOUT(absolute)=15") in new stack [1:23:21] VERBOSE[30834] > func_timeout.c: Channel will hangup at 2012-03-06 > 21:23:36.811 EST. > [1:23:21] VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:6] > Answer("SIP/172.172.172.100-00001ad6", "") in new stack [1:23:22] > VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:7] > Wait("SIP/172.172.172.100-00001ad6", "2") in new stack [1:23:24] > VERBOSE[30834] pbx.c: -- Executing [s@from-sip-external:8] > Playback("SIP/172.172.172.100-00001ad6", "ss-noservice") in new stack > [1:23:24] VERBOSE[30834] file.c: -- <SIP/172.172.172.100-00001ad6> > Playing 'ss-noservice.gsm' (language 'en') [1:23:27] VERBOSE[30834] > pbx.c: == Spawn extension (from-sip-external, s, > 8) exited non-zero on 'SIP/172.172.172.100-00001ad6' > [1:23:27] VERBOSE[30834] pbx.c: -- Executing [h@from-sip-external:1] > Hangup("SIP/172.172.172.100-00001ad6", "") in new stack [1:23:27] > VERBOSE[30834] pbx.c: == Spawn extension (from-sip-external, h, > 1) exited non-zero on 'SIP/172.172.172.100-00001ad6' > [1:23:52] VERBOSE[3266] netsock2.c: == Using SIP RTP TOS bits 184 > [1:23:52] VERBOSE[3266] netsock2.c: == Using SIP RTP CoS mark 5 > [1:23:52] VERBOSE[30838] pbx.c: -- Executing > [011972599560281@from-sip-external:1] > NoOp("SIP/172.172.172.100-00001ad7", "Received incoming SIP connection > from unknown peer to 011972599560281") in new stack [1:23:52] > VERBOSE[30838] pbx.c: -- Executing > [011972599560281@from-sip-external:2] > Set("SIP/172.172.172.100-00001ad7", "DID=011972599560281") in new > stack [1:23:52] VERBOSE[30838] pbx.c: -- Executing > [011972599560281@from-sip-external:3] > Goto("SIP/172.172.172.100-00001ad7", "s,1") in new stack [1:23:52] > VERBOSE[30838] pbx.c: -- Goto (from-sip-external,s,1) [1:23:52] > VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:1] > GotoIf("SIP/172.172.172.100-00001ad7", "0?checklang:noanonymous") in > new stack [1:23:52] VERBOSE[30838] pbx.c: -- Goto > (from-sip-external,s,5) [1:23:52] VERBOSE[30838] pbx.c: -- Executing > [s@from-sip-external:5] Set("SIP/172.172.172.100-00001ad7", > "TIMEOUT(absolute)=15") in new stack [1:23:52] VERBOSE[30838] > func_timeout.c: Channel will hangup at 2012-03-06 > 21:24:07.150 EST. > [1:23:52] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:6] > Answer("SIP/172.172.172.100-00001ad7", "") in new stack [1:23:52] > VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:7] > Wait("SIP/172.172.172.100-00001ad7", "2") in new stack [1:23:54] > VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:8] > Playback("SIP/172.172.172.100-00001ad7", "ss-noservice") in new stack > [1:23:54] VERBOSE[30838] file.c: -- <SIP/172.172.172.100-00001ad7> > Playing 'ss-noservice.gsm' (language 'en') [1:23:59] VERBOSE[30838] > pbx.c: -- Executing [s@from-sip-external:9] > PlayTones("SIP/172.172.172.100-00001ad7", "congestion") in new stack > [1:23:59] VERBOSE[30838] pbx.c: -- Executing [s@from-sip-external:10] > Congestion("SIP/172.172.172.100-00001ad7", "5") in new stack LOGFILE > CHOPPED HERE > This is interesting... initially it seems he is trying to call a number in Plano Texas but then adds 011 to the number which would then try and dial Israel. About a year ago I left the gate open for guests (by mistake) and had 9 calls to Vietnam at 7am in the morning before I could stop it IMHO never leave the box open to guests and use a seriously secure password/secret on the phones. In the last attempt he is trying to spoof sip extension 172 with a password of 172 and display name 172 H -- * Henry L. Coleman * *VoIP-PBX.ca Dragnetics.com <http://dragnetics.com>* --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
