This is an INVITE sent to port 5060 trying to run a script against your sip server. At first glance it could have been a process list, but it is a CDR log. Your description leaves a lot to be desired.
SINCE all of the user accounts require a password and authentication, this would simply be someone trialling the standard accounts on a lot of known sip servers and using weak passwords (dictionary attack). sipx uses better default password creating so dictionary attacks aren't very fruitful. This has been discussed many times. The first line of defense is AT THE FIREWALL. Ex: pfsense, Firewall, RULES, 5060, edit, Advanced Options. Maximum new connections / per second(s) You can also block specific countries using the country block package. Unsure where these are coming from? Dig into the logs, or look at the state tables in the firewall. On Sun, Oct 30, 2011 at 3:40 PM, [email protected] <[email protected]>wrote: > We noticed the following on two of our sipx servers; > > unknown 27735071970269 10/30/11 11:04 AM 00:00:00 > Failed > unknown 00442032987264 10/30/11 11:04 AM 00:00:00 > Failed > unknown 000442032987263 10/30/11 11:04 AM > 00:00:00 Failed > unknown 0000442032987265 10/30/11 11:04 AM > 00:00:00 Failed > unknown 0442032987262 10/30/11 11:04 AM 00:00:00 > Failed > unknown +00442032987263 10/30/11 11:04 AM > 00:00:00 Failed > unknown +000442032987262 10/30/11 11:04 AM > 00:00:00 Failed > unknown 900442032987265 10/30/11 11:04 AM > 00:00:00 Failed > unknown 800442032987263 10/30/11 11:04 AM > 00:00:00 Failed > unknown 9000442032987264 10/30/11 11:04 AM > 00:00:00 Failed > unknown *442032987263 10/30/11 11:04 AM 00:00:00 > Failed > unknown +442032987266 10/30/11 11:04 AM > 00:00:00 Failed > unknown 011442032987265 10/30/11 11:04 AM > 00:00:00 Failed > unknown +011442032987263 10/30/11 11:04 AM > 00:00:00 Failed > unknown +9011442032987263 10/30/11 11:04 AM > 00:00:00 Failed > unknown 00011442032987266 10/30/11 11:04 AM > 00:00:00 Failed > unknown 1011442032987264 10/30/11 11:04 AM > 00:00:00 Failed > unknown 2011442032987262 10/30/11 11:05 AM > 00:00:00 Failed > unknown 5011442032987265 10/30/11 11:05 AM > 00:00:00 Failed > unknown 6011442032987263 10/30/11 11:05 AM > 00:00:00 Failed > > The first thing I did was to go look to see which user this is coming from > but none of these numbers show up in the logs. > In fact, the logs are not normal either. Notice how all of the gzipped > logs are the same size. > > It appears someone is able to restart the services or something and it > seems to be from remote. I use a non standard port for ssh and it certainly > isn't in any of the firewalls. > Checked the usual, lastlog, .bash_history, netstat, no one seems to be or > have been on the server. > It happened a few hours ago so wireshark isn't showing me anything which I > am running now. > The system has a pri gateway and flowroute as gateways. We don't allow out > of country calls on these servers which is why they failed. We checked on > flowroute and it doesn't seem to have any records of these calls being made. > > That seems to leave a user account being compromized but it doesn't answer > why I can't find any of those numbers in the logs. > Kind of stumped on what else to look for, for leads so thought I better > ask. > > drwxr-xr-x 8 root root 4096 Oct 30 04:02 . > drwxr-xr-x 22 root root 4096 Oct 12 16:36 .. > -rw------- 1 root root 135470 Aug 15 13:23 anaconda.log > -rw------- 1 root root 25236 Aug 15 13:23 anaconda.syslog > -rw------- 1 root root 0 Oct 30 04:02 boot.log > -rw------- 1 root root 0 Oct 29 04:02 boot.log.1 > -rw------- 1 root root 20 Oct 22 04:02 boot.log.10.gz > -rw------- 1 root root 20 Oct 21 04:02 boot.log.11.gz > -rw------- 1 root root 20 Oct 20 04:02 boot.log.12.gz > -rw------- 1 root root 20 Oct 19 04:02 boot.log.13.gz > -rw------- 1 root root 20 Oct 18 04:02 boot.log.14.gz > -rw------- 1 root root 20 Oct 30 04:02 boot.log.2.gz > -rw------- 1 root root 20 Oct 29 04:02 boot.log.3.gz > -rw------- 1 root root 20 Oct 28 04:02 boot.log.4.gz > -rw------- 1 root root 20 Oct 27 04:02 boot.log.5.gz > -rw------- 1 root root 20 Oct 26 04:02 boot.log.6.gz > -rw------- 1 root root 20 Oct 25 04:02 boot.log.7.gz > -rw------- 1 root root 20 Oct 24 04:02 boot.log.8.gz > -rw------- 1 root root 20 Oct 23 04:02 boot.log.9.gz > -rw-r--r-- 1 root root 3561 Oct 5 21:22 brcm-iscsi.log > -rw------- 1 root utmp 5376 Sep 22 16:38 btmp > -rw------- 1 root root 23882 Oct 30 14:30 cron > -rw------- 1 root root 54566 Oct 30 04:02 cron.1 > -rw------- 1 root root 2761 Oct 22 04:02 cron.10.gz > -rw------- 1 root root 2737 Oct 21 04:02 cron.11.gz > -rw------- 1 root root 2774 Oct 20 04:02 cron.12.gz > -rw------- 1 root root 2706 Oct 19 04:02 cron.13.gz > -rw------- 1 root root 2731 Oct 18 04:02 cron.14.gz > -rw------- 1 root root 2678 Oct 30 04:02 cron.2.gz > -rw------- 1 root root 2705 Oct 29 04:02 cron.3.gz > -rw------- 1 root root 2751 Oct 28 04:02 cron.4.gz > -rw------- 1 root root 2720 Oct 27 04:02 cron.5.gz > -rw------- 1 root root 2689 Oct 26 04:02 cron.6.gz > -rw------- 1 root root 2753 Oct 25 04:02 cron.7.gz > -rw------- 1 root root 2687 Oct 24 04:02 cron.8.gz > -rw------- 1 root root 2690 Oct 23 04:02 cron.9.gz > -rw-r--r-- 1 root root 18520 Oct 5 21:22 dmesg > drwxr-x--- 2 exim exim 4096 Oct 30 04:02 exim > -rw------- 1 root root 16064 Aug 16 12:10 faillog > drwxr-x--- 2 freeswitch daemon 4096 Mar 27 2011 freeswitch > drwx------ 2 root root 4096 Aug 31 19:23 httpd > -rw-r--r-- 1 root root 146584 Oct 30 14:19 lastlog > -rw------- 1 root root 0 Oct 30 04:02 maillog > -rw------- 1 root root 0 Oct 29 04:02 maillog.1 > -rw------- 1 root root 20 Oct 22 04:02 maillog.10.gz > -rw------- 1 root root 20 Oct 21 04:02 maillog.11.gz > -rw------- 1 root root 20 Oct 20 04:02 maillog.12.gz > -rw------- 1 root root 20 Oct 19 04:02 maillog.13.gz > -rw------- 1 root root 20 Oct 18 04:02 maillog.14.gz > -rw------- 1 root root 20 Oct 30 04:02 maillog.2.gz > -rw------- 1 root root 20 Oct 29 04:02 maillog.3.gz > -rw------- 1 root root 20 Oct 28 04:02 maillog.4.gz > -rw------- 1 root root 20 Oct 27 04:02 maillog.5.gz > -rw------- 1 root root 20 Oct 26 04:02 maillog.6.gz > -rw------- 1 root root 20 Oct 25 04:02 maillog.7.gz > -rw------- 1 root root 20 Oct 24 04:02 maillog.8.gz > -rw------- 1 root root 20 Oct 23 04:02 maillog.9.gz > -rw------- 1 root root 43 Oct 30 04:02 messages > -rw------- 1 root root 43 Oct 29 04:02 messages.1 > -rw------- 1 root root 165 Oct 22 04:02 messages.10.gz > -rw------- 1 root root 142 Oct 21 04:02 messages.11.gz > -rw------- 1 root root 63 Oct 20 04:02 messages.12.gz > -rw------- 1 root root 61 Oct 19 04:02 messages.13.gz > -rw------- 1 root root 142 Oct 18 04:02 messages.14.gz > -rw------- 1 root root 142 Oct 30 04:02 messages.2.gz > -rw------- 1 root root 165 Oct 29 04:02 messages.3.gz > -rw------- 1 root root 151 Oct 28 04:02 messages.4.gz > -rw------- 1 root root 143 Oct 27 04:02 messages.5.gz > -rw------- 1 root root 141 Oct 26 04:02 messages.6.gz > -rw------- 1 root root 142 Oct 25 04:02 messages.7.gz > -rw------- 1 root root 150 Oct 24 04:02 messages.8.gz > -rw------- 1 root root 142 Oct 23 04:02 messages.9.gz > drwxr-xr-x 2 root root 4096 Aug 15 13:23 pm > drwxr-xr-x 2 root root 4096 Aug 17 04:02 prelink > -rw-r--r-- 1 root root 12392 Oct 30 04:02 rpmpkgs > -rw-r--r-- 1 root root 12392 Oct 29 04:02 rpmpkgs.1 > -rw-r--r-- 1 root root 12392 Oct 22 04:02 rpmpkgs.2 > -rw-r--r-- 1 root root 12392 Oct 15 04:02 rpmpkgs.3 > -rw------- 1 root root 189 Oct 30 14:19 secure > -rw------- 1 root root 0 Oct 29 04:02 secure.1 > -rw------- 1 root root 152 Oct 22 04:02 secure.10.gz > -rw------- 1 root root 20 Oct 21 04:02 secure.11.gz > -rw------- 1 root root 20 Oct 20 04:02 secure.12.gz > -rw------- 1 root root 20 Oct 19 04:02 secure.13.gz > -rw------- 1 root root 170 Oct 18 04:02 secure.14.gz > -rw------- 1 root root 20 Oct 30 04:02 secure.2.gz > -rw------- 1 root root 20 Oct 29 04:02 secure.3.gz > -rw------- 1 root root 20 Oct 28 04:02 secure.4.gz > -rw------- 1 root root 97 Oct 27 04:02 secure.5.gz > -rw------- 1 root root 97 Oct 26 04:02 secure.6.gz > -rw------- 1 root root 303 Oct 25 04:02 secure.7.gz > -rw------- 1 root root 20 Oct 24 04:02 secure.8.gz > -rw------- 1 root root 20 Oct 23 04:02 secure.9.gz > drwxr-xr-x 4 sipxchange sipxchange 24576 Oct 30 12:06 sipxpbx > -rw------- 1 root root 0 Oct 30 04:02 spooler > -rw------- 1 root root 0 Oct 29 04:02 spooler.1 > -rw------- 1 root root 20 Oct 22 04:02 spooler.10.gz > -rw------- 1 root root 20 Oct 21 04:02 spooler.11.gz > -rw------- 1 root root 20 Oct 20 04:02 spooler.12.gz > -rw------- 1 root root 20 Oct 19 04:02 spooler.13.gz > -rw------- 1 root root 20 Oct 18 04:02 spooler.14.gz > -rw------- 1 root root 20 Oct 30 04:02 spooler.2.gz > -rw------- 1 root root 20 Oct 29 04:02 spooler.3.gz > -rw------- 1 root root 20 Oct 28 04:02 spooler.4.gz > -rw------- 1 root root 20 Oct 27 04:02 spooler.5.gz > -rw------- 1 root root 20 Oct 26 04:02 spooler.6.gz > -rw------- 1 root root 20 Oct 25 04:02 spooler.7.gz > -rw------- 1 root root 20 Oct 24 04:02 spooler.8.gz > -rw------- 1 root root 20 Oct 23 04:02 spooler.9.gz > -rw------- 1 root root 0 Aug 16 11:20 tallylog > -rw-rw-r-- 1 root utmp 124800 Oct 30 14:19 wtmp > -rw------- 1 root root 0 Oct 30 04:02 xferlog > -rw------- 1 root root 0 Oct 29 04:02 xferlog.1 > -rw------- 1 root root 0 Oct 20 04:02 xferlog.10 > -rw------- 1 root root 0 Oct 19 04:02 xferlog.11 > -rw------- 1 root root 0 Oct 18 04:02 xferlog.12 > -rw------- 1 root root 0 Oct 17 04:02 xferlog.13 > -rw------- 1 root root 0 Oct 16 04:02 xferlog.14 > -rw------- 1 root root 0 Oct 28 04:02 xferlog.2 > -rw------- 1 root root 0 Oct 27 04:02 xferlog.3 > -rw------- 1 root root 0 Oct 26 04:02 xferlog.4 > -rw------- 1 root root 0 Oct 25 04:02 xferlog.5 > -rw------- 1 root root 0 Oct 24 04:02 xferlog.6 > -rw------- 1 root root 0 Oct 23 04:02 xferlog.7 > -rw------- 1 root root 0 Oct 22 04:02 xferlog.8 > -rw------- 1 root root 0 Oct 21 04:02 xferlog.9 > -rw-r--r-- 1 root root 25478 Oct 15 12:31 yum.log > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Contract Customers: http://support.myitdepartment.net <http://support.myitdepartment.net>Blog: http://blog.myitdepartment.net Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services!
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
