Hack Attempt?

Discussion in '3CX Phone System - General' started by rayfield, Jun 16, 2011.

Thread Status:
Not open for further replies.
  1. rayfield

    rayfield New Member

    Joined:
    May 4, 2010
    Messages:
    124
    Likes Received:
    2
    Several times now, in the middle of the night, one of the phones connected to my 'test' installation of 3CX V10 would ring. I would answer it and no one would be there. The Caller ID would show "asterisk".

    Last night, when this happened again, I looked at the Server Activity Log. Here's what it shows:

    ========================================================================================
    02:21:52.191 [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    INVITE sip:002442070661000@69.27.157.130 SIP/2.0
    Via: SIP/2.0/UDP 89.187.144.214:54979;branch=z123RE8gBkor3;rport=54979
    Max-Forwards: 70
    Contact: <sip:asterisk@89.187.144.214>
    To: <sip:002442070661000@69.27.157.130>
    From: "asterisk"<sip:asterisk@89.187.144.214>;tag=z321RE8gBkor3
    Call-ID: abc124836edfb@89.187.144.214
    CSeq: 102 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
    Supported: replaces
    User-Agent: Asterisk PBX
    Content-Length: 0

    02:21:52.191 [CM302001]: Authorization system can not identify source of: SipReq: INVITE 002442070661000@69.27.157.130 tid=3705f49279c462b5afce137ca121b51b cseq=INVITE contact=asterisk@89.187.144.214 / 102 from(wire)
    ========================================================================================

    The IP address from which this "unidentified incoming call" came from is in the Czech Republic.

    Is this an attempt by someone to hack into what they think is an Asterisk-based system?

    John Rayfield, Jr.
     
  2. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    Could be - He is trying to make a direct sip call - a direct sip call is without authentication. Server is stopping the call because it complains Unidentified incoming call. Review INVITE and adjust source identification. This means that source authentication has not been matched.

    however the attacker, if it is an attack, can manipulate the packet if he knows what source your pbx needs (or by trial and error) and an incoming call can be made so you should use the anti hacking feature to blacklist the ipaddress.

    Block his ip. What is your operating system?

    If you have XP or 2003, there is a small issue with the block of IP and you will need to set Range of ip + subnet mask 255.255.255.255. (do not use specific ip address)

    If you have win 7/2008, then no problems - proceed business as usual.


    Do you have more of these? Are they all asterisk? Do they change?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. rayfield

    rayfield New Member

    Joined:
    May 4, 2010
    Messages:
    124
    Likes Received:
    2
    I think this is the only one that has show up.

    I'm running WinXP. So I entered the IP (89.187.144.214) into the Block Range field and 255.255.255.255 into the Subnet Mask field. Is this what you mean?

    John Rayfield, Jr.
     
  4. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    If you are using XP you have to go to

    Settings/Advanced/IP Blacklist

    Add / block range of ip addresses
    Network address - enter ip you want to block
    Subnet mask - 255.255.255.255
    Description - Asterisk source id penetration attempt Czech Republic

    Let me know on this
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. JRayfield

    Joined:
    May 9, 2010
    Messages:
    17
    Likes Received:
    0
    So far, so good. Blocking the IP with the IP Blacklist appears to have stopped this 'intruder'. I was going to block this IP in my router/firewall, but doing it in 3CX seems to have worked.

    If I see anything more of this 'intrusion attempt', I'll post something here again.

    John Rayfield, Jr.
     
  6. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    But now it would be a good idea to block him on your firewall. If you have an intruder that is attacking you for sip services, you stopped him by 3CX - Fine. But an intruder remains an intruder. What if he decides to start probing you for other services?

    So as a general rule, first blacklist from 3CX. This is only temporary mechanism - to give you some time to understand what is going on. Then you should go on your firewall and blacklist him from there.

    After this you should not stop there. You should check your firewall logs and see if he is attempting on you further. If he is, contact your isp. This is the golden rule you have to follow.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.