Is anyone on your system? What does "last" say?
Is your "ssh" service open to the outside? Are you running the firewall? Periodically, if you do a "netstat -t" does it show any external connections? On 9/18/10 7:17 PM, Mark Phillips wrote: > Hi Eric, > > Y'know I thought about our conversation just as this was happening. The > bit I don't get is the getting into my system in the first instance and > why do I show no calls in the log? > > I've tried making calls locally across the bench and they don't show up. > Indeed, even inbound calls don;t show up right away. Tonight I've > witnessed calls somehow purged from the logs themselves. I made 2 calls > to Broadvoice this evening which showed up in the log almost > immediately; now the are gone. > > Clearly I need some schooling in security around here :) > > I think the MySIP UA thing is a "poison rouge". I'm thinking that the UA > field remained populated just because the current user didn't override > it with a new setting - an undocumented "feature" perhaps? > > I'm going back to dig through the logs some more. > > In the mean time, I had a thought about your hacker of last week and why > the FW rule wasn't keeping him out. We forgot that the firewall is > stateful. The rule would only affect new connections. Until the current > connection had terminated it could continue to do its thing. > > Note to self, change FW rules - reboot firewall! > > Mark > > On 09/18/2010 09:07 PM, e...@kowalewski.com wrote: >> Mark, >> >> So then the hacker was able to hack you by: >> >> IP >> SIP account name >> SIP password >> >> ??? >> >> As you know, I was hacked my IP and SIP account, but they were >> unable to get the password. Would a static IP from your cell phone provider >> help with a "guilty unless allowed access" strategy work? >> >> Eric >> >> -----Original Message----- >> From: Mark Phillips [mailto:g7...@g7ltt.com] >> Sent: Saturday, September 18, 2010 8:55 PM >> To: AstLinux Users Mailing List >> Subject: [Astlinux-users] Call Theft again - questions >> >> Hi All, >> >> Well, for the second time in about a month I've been the victim of call >> theft to the tune of almost $1000. It would seem that someone is able to >> acquire an extension on my AstLinux box and use it to call Somalia for a >> few minutes at a time over and over again until I catch it. >> >> Luckily this time my provider was on the lookout and trapped the theft >> after about $250 of calls were made. >> >> To get to the point, Broadvoice's call log show that I made a good many >> calls to a particular number in Somalia but my log does not. Indeed, my >> log as viewed via the AstLinux Management web interface shows that the >> last call made by one of my users was at around 1030am today. The last >> call to Somalia was at 5:48 tonight. >> >> I have a number of questions all related to SIP security but my biggest >> question is "why don't the calls show up in my log?" My provider can >> show logs demonstrating that the Somalia calls came from my IP address >> and I did spot the odd one or 2 towards the end originating from an >> extension within my number plan. >> >> So back to my SIP questions, I use a combination of hard and softphones >> around the house and a softphone on my new Android phone. I occasionally >> use a softphone on my laptop remotely via L2TP VPN. >> >> Each entry in my sip.conf file has this in it; >> >> deny=0.0.0.0/0.0.0.0 >> permit=192.168.201.0/255.255.255.0 >> permit=192.168.202.0/255.255.255.0 >> >> but yet still the hacker/thief was able to get in. >> >> When I spotted the theft I noted that the thief was using exten 2201 (my >> android softphone), the UA as reported by "sip show peer 2201" was >> "MySIP" (an app I was never able to get working correctly) but yet my >> Android wasn't running the MySIP softphone at the time. >> >> Could it be that the MySIP app was in fact some sort of Android Trojan? >> How well do if at all do the deny/permit parameters in sip.conf work? >> How well does the SIP module in AstLinux stand up to brute force attacks >> (I'm assuming the thief tried that as well)? >> >> I'm now so worried about another one of these occurrences that I'm >> having to disable SIP access on my monoWall which in turn will impact my >> ability to work. >> >> Ideas?? >> >> Thanks >> >> Mark ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
