Intrusion detected inbound campaigns

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Intrusion detected inbound campaigns

Postby macaruchi » Tue Sep 19, 2017 3:25 pm

Hi!
I am checking my CDR and I figured out that somebody is doing outbound calls from my account inbound.

I have an account inbound just for inbound and I dont use it for outbound calls but anyway I checked calls from this account.


vicibox7:/var/log/asterisk # cat messages.2017-09-19---050341 | grep 17037291641
[Sep 19 00:04:51] VERBOSE[10901][C-0000532c] pbx.c: [Sep 19 00:04:51] -- Executing [817037291641@default:1] AGI("SIP/FLO3008-00002a68", "agi://127.0.0.1:4577/call_log") in new stack
[Sep 19 00:04:51] VERBOSE[10901][C-0000532c] pbx.c: [Sep 19 00:04:51] -- Executing [817037291641@default:2] Dial("SIP/FLO3008-00002a68", "sip/17037291641@DID_IN1,55,o") in new stack
[Sep 19 00:04:51] VERBOSE[10901][C-0000532c] app_dial.c: [Sep 19 00:04:51] -- Called sip/17037291641@DID_IN1
[Sep 19 00:05:26] VERBOSE[10901][C-0000532c] pbx.c: [Sep 19 00:05:26] == Spawn extension (default, 817037291641, 2) exited non-zero on 'SIP/FLO3008-00002a68'
[Sep 19 03:19:58] VERBOSE[12449][C-00005510] pbx.c: [Sep 19 03:19:58] -- Executing [817037291641@default:1] AGI("SIP/FLO3008-00002c36", "agi://127.0.0.1:4577/call_log") in new stack
[Sep 19 03:19:58] VERBOSE[12449][C-00005510] pbx.c: [Sep 19 03:19:58] -- Executing [817037291641@default:2] Dial("SIP/FLO3008-00002c36", "sip/17037291641@DID_IN1,55,o") in new stack
[Sep 19 03:19:58] VERBOSE[12449][C-00005510] app_dial.c: [Sep 19 03:19:58] -- Called sip/17037291641@DID_IN1
[Sep 19 03:20:35] VERBOSE[12449][C-00005510] pbx.c: [Sep 19 03:20:35] == Spawn extension (default, 817037291641, 2) exited non-zero on 'SIP/FLO3008-00002c36'
vicibox7:/var/log/asterisk #


I am seeing that it uses default context


ViciBox 7.0.3
OpenSuse 42.1Leap
VERSION: 2.12-565a
BUILD: 160827-0917
8GB Ram
Intel Xeon 2.5Ghz
8 core
macaruchi
 
Posts: 71
Joined: Wed Sep 21, 2016 8:11 pm

Re: Intrusion detected inbound campaigns

Postby macaruchi » Tue Sep 19, 2017 3:35 pm

This is my conf for this carrier

[DID_IN1]
username=xxxxxx
secret=xxxxxxxxxxxx
type=peer
progressinband=never
port=5060
nat=force_rport
ignoresdpversion=yes
host= my.host.inbound.com
dtmfmode=rfc2833
deny=x.x.x.x/255.255.255.255
context=trunkinbound
canreinvite=no
insecure=port,invite
disallow=all
allow=ulaw
allow=alaw
macaruchi
 
Posts: 71
Joined: Wed Sep 21, 2016 8:11 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 11 guests