got hacked today

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

got hacked today

Postby john_usc » Thu Aug 07, 2014 2:38 pm

I got hacked earlier today. I had different ips from china scanning my machine. I used iptables to block those.
this is what I also did
I used mysql to set active to N for all phones
I changes passwords for all phones

However I am still seeing the numbers being dialed when I go to > asterisk -r

I see this the output blow. How do I stop this crazy dialing..please help

-- Executing AGI("SIP/5060-0a04ec60", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:02 WARNING[23138]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 916059255207, 2)
== Spawn extension (default, 916059255207, 2) exited non-zero on 'SIP/5060-0a04ec60'
-- Executing DeadAGI("SIP/5060-0a04ec60", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
== Parsing '/etc/asterisk/manager.conf': Found
== Manager 'listencron' logged on from 127.0.0.1
== Parsing '/etc/asterisk/manager.conf': Found
== Manager 'updatecron' logged on from 127.0.0.1
-- Executing AGI("SIP/5060-0a054cc0", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:05 WARNING[23183]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 914194533327, 2)
== Spawn extension (default, 914194533327, 2) exited non-zero on 'SIP/5060-0a054cc0'
-- Executing DeadAGI("SIP/5060-0a054cc0", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
== Parsing '/etc/asterisk/manager.conf': Found
== Manager 'sendcron' logged on from 127.0.0.1
== Manager 'sendcron' logged off from 127.0.0.1
-- Executing AGI("SIP/5060-0a05aa80", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:06 WARNING[23197]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 915598464077, 2)
== Spawn extension (default, 915598464077, 2) exited non-zero on 'SIP/5060-0a05aa80'
-- Executing DeadAGI("SIP/5060-0a05aa80", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
Aug 7 14:35:08 NOTICE[23107]: chan_sip.c:11518 handle_request: Unknown SIP command 'PUBLISH' from '192.168.1.7'
-- Executing AGI("SIP/5060-0a05ffc0", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:10 WARNING[23203]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 915077438289, 2)
== Spawn extension (default, 915077438289, 2) exited non-zero on 'SIP/5060-0a05ffc0'
-- Executing DeadAGI("SIP/5060-0a05ffc0", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
-- Executing AGI("SIP/5060-0a065b40", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:11 WARNING[23211]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 916066629154, 2)
== Spawn extension (default, 916066629154, 2) exited non-zero on 'SIP/5060-0a065b40'
-- Executing DeadAGI("SIP/5060-0a065b40", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
== Manager 'sendcron' logged off from 127.0.0.1
john_usc
 
Posts: 167
Joined: Sat Nov 08, 2008 9:59 pm

Re: got hacked today

Postby geoff3dmg » Fri Aug 08, 2014 7:46 am

It looks like SIP phone 5060 is compromised to me. Do you use IP ACLs? Do you use strong passwords?
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK


Return to General Discussion

Who is online

Users browsing this forum: Google [Bot] and 39 guests

cron