Possible HACK

Discussion in '3CX Phone System - General' started by patrickrivard, Oct 6, 2015.

Thread Status:
Not open for further replies.
  1. patrickrivard

    patrickrivard New Member

    Joined:
    May 29, 2008
    Messages:
    100
    Likes Received:
    0
    Can anyone shed some light on this LOG file?
    It appears that someone is trying to HACK into our 3CX server, but I have no clue on how to proceed to resolve this issue...
    I have blocked a bunch of IP in the IP Black List of the Security Tab in the Management console, but aside of that what can be done???
    In the following LOG, I have replaced our External IP with XXX.XXX.XXX.XXX, but the rest is all original but also unknown IP...

    04-Oct-2015 22:39:54.479 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=aa44cd2b-e835-472b-a04d-be340961e392 Call-ID=dyegrwcbqwbdwgmnjpvoartwddxfbtwybkomxlwdiexjlrsdvw:
    INVITE sip:00016468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bKaa44cd2b-e835-472b-a04d-be340961e392;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:00016468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=pfslqleh
    Call-ID: dyegrwcbqwbdwgmnjpvoartwddxfbtwybkomxlwdiexjlrsdvw
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273fa31:d21c96184c423d3efac7afba94e4693d",response="91f25bd9114132cae55e2063bfd9e37d",uri="sip:00016468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 392

    v=0
    o=- 302631338 302631338 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52948 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52945 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:54.479 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE 00016468443955@XXX.XXX.XXX.XXX tid=aa44cd2b-e835-472b-a04d-be340961e392 cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 22:39:52.439 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=03e66996-95c3-4d1d-a33b-3d8448e9bcf8 Call-ID=hedjlenchiykjwgwvwmxdetjajggjnfxgbfvumhrvmcoicpelv:
    INVITE sip:90016468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bK03e66996-95c3-4d1d-a33b-3d8448e9bcf8;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:90016468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=ybonncjt
    Call-ID: hedjlenchiykjwgwvwmxdetjajggjnfxgbfvumhrvmcoicpelv
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273f886:23f4ef11b001a6f092e318147f90977b",response="bdd2ac799ceba6784ff9948da11fa31f",uri="sip:90016468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 394

    v=0
    o=- 1133145147 1133145147 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52942 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52959 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:52.439 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE 90016468443955@XXX.XXX.XXX.XXX tid=03e66996-95c3-4d1d-a33b-3d8448e9bcf8 cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 22:39:50.352 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=21e24306-fbcd-46d8-b059-71e3840a8528 Call-ID=wseuheoeafvyvuvwqyydiuqyiacqhxwhybnluoaaeaepnpbhdk:
    INVITE sip:+16468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bK21e24306-fbcd-46d8-b059-71e3840a8528;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:+16468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=pdwkkcce
    Call-ID: wseuheoeafvyvuvwqyydiuqyiacqhxwhybnluoaaeaepnpbhdk
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273f646:18250ced975f8cc8b47a11e1c6d88564",response="8457e4daf92adaabfb89d63651879f8c",uri="sip:+16468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 394

    v=0
    o=- 1592679041 1592679041 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52962 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52966 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:50.351 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE +16468443955@XXX.XXX.XXX.XXX tid=21e24306-fbcd-46d8-b059-71e3840a8528 cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 22:39:48.317 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=d54608d7-ea2b-4c84-8fe1-f567134b93c0 Call-ID=scoacueynfrhkhjfahpwxgcxtsmovesvsiifmynhpfpgcbwvjt:
    INVITE sip:16468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bKd54608d7-ea2b-4c84-8fe1-f567134b93c0;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:16468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=wekhtmaq
    Call-ID: scoacueynfrhkhjfahpwxgcxtsmovesvsiifmynhpfpgcbwvjt
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273f401:48d3216639ff9697c8de19468589f552",response="96d7299241ca77015b69c38f01c2411a",uri="sip:16468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 394

    v=0
    o=- 1217459954 1217459954 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52965 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52942 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:48.316 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE 16468443955@XXX.XXX.XXX.XXX tid=d54608d7-ea2b-4c84-8fe1-f567134b93c0 cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 22:39:46.284 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=ae8d4597-dbe3-4970-8a4d-30d4a8e500bb Call-ID=gcgtdhqotuuxmjlrfkbhettbkeikppguamadedvssmkxwssarj:
    INVITE sip:0016468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bKae8d4597-dbe3-4970-8a4d-30d4a8e500bb;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:0016468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=yprxhmif
    Call-ID: gcgtdhqotuuxmjlrfkbhettbkeikppguamadedvssmkxwssarj
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273f291:ba889dfc74c3d9815cc895a406d0dfaf",response="9a918c1ecdeb3c5bece5d6ab1389380d",uri="sip:0016468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 392

    v=0
    o=- 265493167 265493167 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52945 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52957 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:46.284 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE 0016468443955@XXX.XXX.XXX.XXX tid=ae8d4597-dbe3-4970-8a4d-30d4a8e500bb cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 22:39:44.248 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=132cf456-898a-4294-86ba-7e9c9fe40a68 Call-ID=wktaooxvnsdwybaimvjsbbuhfguswetisbvkamrucgsiaryvdv:
    INVITE sip:01116468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bK132cf456-898a-4294-86ba-7e9c9fe40a68;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:01116468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=nrrmavom
    Call-ID: wktaooxvnsdwybaimvjsbbuhfguswetisbvkamrucgsiaryvdv
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273f060:adf77f7388e608f7b9211400e9de689a",response="5be94ca4773034b0714844b5f980846f",uri="sip:01116468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 392

    v=0
    o=- 954803414 954803414 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52966 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52961 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:44.247 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE 01116468443955@XXX.XXX.XXX.XXX tid=132cf456-898a-4294-86ba-7e9c9fe40a68 cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 22:39:42.240 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=abf7241b-7781-4e48-af4b-1042edc2fb11 Call-ID=yseplxntsstakstbwmrpodjowuvbvvqdhrejkphlwnfyulxwob:
    INVITE sip:901116468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bKabf7241b-7781-4e48-af4b-1042edc2fb11;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:901116468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=seotfujp
    Call-ID: yseplxntsstakstbwmrpodjowuvbvvqdhrejkphlwnfyulxwob
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273ee67:289a31ac641c8400f78215aab2742d92",response="76224d166d8243c39d2f18ed8b95f2bd",uri="sip:901116468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 392

    v=0
    o=- 649468010 649468010 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52954 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52966 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:42.240 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE 901116468443955@XXX.XXX.XXX.XXX tid=abf7241b-7781-4e48-af4b-1042edc2fb11 cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 22:39:40.121 [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 195.154.207.24:52952 tid=17471c90-e1f0-4d2d-ad2e-a81ad52054cc Call-ID=xavbvmqtnlmktsdligdayjtctrgihlosrqsvjopiilvxowxtla:
    INVITE sip:916468443955@XXX.XXX.XXX.XXX SIP/2.0
    Via: SIP/2.0/UDP 195.154.207.24:52952;branch=z9hG4bK17471c90-e1f0-4d2d-ad2e-a81ad52054cc;rport=52952
    Max-Forwards: 70
    Contact: <sip:c@195.154.207.24:52952>
    To: <sip:916468443955@XXX.XXX.XXX.XXX>
    From: "c"<sip:c@XXX.XXX.XXX.XXX>;tag=twysmoft
    Call-ID: xavbvmqtnlmktsdligdayjtctrgihlosrqsvjopiilvxowxtla
    CSeq: 2 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
    Content-Type: application/sdp
    Proxy-Authorization: Digest username="c",realm="3CXPhoneSystem",nonce="414d535c0c2273eb18:422704f5be36b6b32ab6dee2a49344c8",response="ad2c8ce2ea3ec47072fa867ac2c99813",uri="sip:916468443955@XXX.XXX.XXX.XXX",algorithm=MD5
    User-Agent: Ozeki VoIP SIP SDK v10.1.13
    Content-Length: 394

    v=0
    o=- 1880510428 1880510428 IN IP4 195.154.207.24
    s=Ozeki VoIP SIP SDK v10.1.13
    c=IN IP4 195.154.207.24
    t=0 0
    m=audio 52965 RTP/AVP 18 8 0 3 100
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:8 PCMA/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:3 GSM/8000
    a=rtpmap:100 SPEEX/16000
    a=sendrecv
    m=video 52946 RTP/AVP 99
    a=rtpmap:99 H264/90000
    a=fmtp:99 packetization-mode=1
    a=sendrecv
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    04-Oct-2015 22:39:40.121 [CM302002]: Authentication failed due to unidentified source of: SipReq: INVITE 916468443955@XXX.XXX.XXX.XXX tid=17471c90-e1f0-4d2d-ad2e-a81ad52054cc cseq=INVITE contact=c@195.154.207.24:52952 / 2 from(wire)
    04-Oct-2015 21:36:46.827 PBX has dropped a message with 'User-Agent: friendly-scanner' from IP 5.189.163.147 because it is on blocked UAs list
     
  2. swink

    Joined:
    Oct 9, 2014
    Messages:
    15
    Likes Received:
    0
    Turn down the number of failures required to be banned and turn up the length of time they are banned. Not much to do assuming you are using strong passwords. They will run out of patience and IP address space long before they get in.
     
  3. 12494

    12494 Member

    Joined:
    Apr 16, 2010
    Messages:
    298
    Likes Received:
    29
    Can you just whitelist (only allow) your SIP provider in your firewall for port 5060?

    Allen
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. patrickrivard

    patrickrivard New Member

    Joined:
    May 29, 2008
    Messages:
    100
    Likes Received:
    0
    @ SWINK; I have performed the suggested mod to the default settings... Let's see if it'll help... Thanks

    @ 12494; Allen, This is a really good idea. I will try to find out how to implement in our Firewall and see if this also helps...

    These were good and constructive comments. It is really appreciated.
    Any other comments/advice or solutions are welcome!

    I will try to keep this post updated with our results...

    Thank you
     
Thread Status:
Not open for further replies.