I am not really sure, but apparently they guessed a SIP username/password. But what I don't understand is they even though I deleted that extension all together, still 'sip show peers' showed that extension. Then I figured out an easy to guess manager user and password, which I also deleted. I think it all started from the manager user/password and they created an extension on the server which 'sip show peers' would show as offline but would be making calls successfully.
The IPs I had to block so far are: 213.136.96.104 88.151.100.167 85.17.141.101 212.34.138.12 On Tue, Mar 24, 2009 at 5:55 AM, Gordon Henderson < gordon+aster...@drogon.net <gordon%2baster...@drogon.net>> wrote: > On Mon, 23 Mar 2009, Zeeshan Zakaria wrote: > > > Hi, > > > > In last one week I have seen two servers of our organization successfully > > hacked and some other under attack from some other IP addresses. We would > > block one IP address on our firewall and after a few hours, they would > start > > getting hits from some another IP address. When I checked them on > whois.net, > > they all were from Amsterdam. Surprisingly, I once had similar attack in > the > > past and it was also from an Amsterdam IP address. And they all blong to > one > > same organization. > > > > Seems like somebody in Amsterdam is really active in trying to hack > asterisk > > servers around the world. > > Are you willing to share details of the hack? Eg. Did they gain root > access to the server? Did they exploit a bug in the web server to run > code? Did they guess SIP username/password combinarions? Or something > else? > > Gordon > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- Zeeshan A Zakaria
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users