Hi Running 1.2.26 BRI stuffed. Calls made via PSTN via ISDN interface (Junghanns). SIP ports mapped through firewall as we often connect from outside, but all SIP accounts have good passwords. However our telecoms provider picked up a few suspicious calls to places we do not normally call at times we do not often call. Looking at Asterisk logs it shows SIP session from the internet connected in and making calls with account IDs we do not recognise - definitely none of ours. Very few calls have been made this way, trivial cost, but it is slightly worrying. Anyone any ideas on how this could be happening? Thank Paul
On Thu, Jun 11, 2009 at 3:30 PM, Paul Redstone<paul.redstone at solica.com> wrote:> Hi > > Running 1.2.26 BRI stuffed. Calls made via PSTN via ISDN interface (Junghanns). > > SIP ports mapped through firewall as we often connect from outside, but all SIP accounts have good passwords. > > However our telecoms provider picked up a few suspicious calls to places we do not normally call at times we do not often call. > > Looking at Asterisk logs it shows SIP session from the internet connected in and making calls with account IDs we do not recognise - definitely none of ours. > > Very few calls have been made this way, trivial cost, but it is slightly worrying. > > Anyone any ideas on how this could be happening? > > Thank > > PaulPosting some redacted logs would be very helpful. -- Thanks, Steve Totaro +18887771888 (Toll Free) +12409381212 (Cell) +12024369784 (Skype)
I can only suggest the most obvious cause without knowing how its configured, sorry. Take a look at the default context in sip.conf for me: [general] context=default my "default" context doesn't exist, so if a call comes in from an unknown user, asterisk complains about not matching whatever number they are asking for. if i changed it to context=internal which does have dialing rules, then people would be able to dial out through my asterisk box. Kyle On Thu, Jun 11, 2009 at 12:30 PM, Paul Redstone<paul.redstone at solica.com> wrote:> Hi > > Running 1.2.26 BRI stuffed. Calls made via PSTN via ISDN interface (Junghanns). > > SIP ports mapped through firewall as we often connect from outside, but all SIP accounts have good passwords. > > However our telecoms provider picked up a few suspicious calls to places we do not normally call at times we do not often call. > > Looking at Asterisk logs it shows SIP session from the internet connected in and making calls with account IDs we do not recognise - definitely none of ours. > > Very few calls have been made this way, trivial cost, but it is slightly worrying. > > Anyone any ideas on how this could be happening? > > Thank > > Paul > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > ? http://lists.digium.com/mailman/listinfo/asterisk-users >
>>>Very few calls have been made this way, trivial cost, but it is slightlyworrying. That's what I thought when they hacked into one of my systems, but it is not the cost of the calls, it is the purposed of the calls you should watch out for. The FBI contacted the owner of the PBX, and inquired him about calls being made from "his company" doing credit card soliciting. CS -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Paul Redstone Sent: Thursday, June 11, 2009 3:30 PM To: Asterisk User Subject: [asterisk-users] SIP hacked connection? Hi Running 1.2.26 BRI stuffed. Calls made via PSTN via ISDN interface (Junghanns). SIP ports mapped through firewall as we often connect from outside, but all SIP accounts have good passwords. However our telecoms provider picked up a few suspicious calls to places we do not normally call at times we do not often call. Looking at Asterisk logs it shows SIP session from the internet connected in and making calls with account IDs we do not recognise - definitely none of ours. Very few calls have been made this way, trivial cost, but it is slightly worrying. Anyone any ideas on how this could be happening? Thank Paul _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users