Yes, If you are using IAX2 , you could check iax.conf and check for a default config..
[default] is used when non auth’ed usually. 1-888-372-6501 sa...@contacttel.com <http://www.contacttel.com/> http://www.contacttel.com From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of David Anthony O Reilly Sent: March-25-09 10:40 AM To: asterisk-users@lists.digium.com Subject: [asterisk-users] SIP Asterisk Hacked (1.6.0.6) Hi all I have been hacked but no idea how!!! I noticed somebody in Eastern Europe came from an American IP and tried to call loads of international numbers. Thankfully I had no credit with my VOIP out provider so the calls went nowhere. But if I had credit it would all have been used up. I noticed hundreds of calls being made from clid and src being either UNKNOWN or as ASTERISK. Here are a sample: 2009-03-24 16:47:14 "asterisk" <asterisk> asterisk 0037322483581 default SIP/66.199.242.101-09da9128 IAX2/out-1497 Dial iax2/out/0037322483581 8 6 ANSWERED 3 1237913234.1077 2009-03-24 16:47:15 "Unknown" <Unknown> Unknown 00380449536745 default SIP/66.199.242.101-09da5230 IAX2/out-516 Dial iax2/out/00380449536745 8 7 ANSWERED 3 1237913235.1081 I've reported it to the authorities and they are doing a backtrace to find the hacker, and in the meantime I have set my firewall that ONLY SIP requests from my own IP address can connect so my home phones can connect. My config is ALL NORMAL - I am careful about putting it up here in case somebody else tries a fast one on me, but what I can tell you is that my passwords are all SHA1 substrings and there is no way in hell somebody could guess them. My box was not compromised either, as I went through my message logs, my ISP also has a server firewall rule set up so that one false password and the details are logged and I'm notified as somebody also tried a dictionary attack on me. So now my system is all ruled up and I can only use it from here, if I am out and about I can't use it. Anybody have any ideas about what I can do to try and find this security hole??? I am sure it's a bug as surely nobody should have been able to log into asterisk WITHOUT a password (from what i can see!!) and make calls out leaving the source and id as UNKNOWN or ASTERISK. Thanks in advance David
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
