[sipx-users] Were we hacked?

an...@iguanait.com Tue, 23 Feb 2010 01:38:36 -0800

Hi again. We have installed sipxecs-4.0.4-017289 on Centos 5.

This morning i saw a very strange records in my sipregister logs.


It looks that somebody is trying (or it registered successfully)
register and make calls through our system with one of our extension.
I checked on Call Details Records screen and i see that call to
00930820128 has failed. I cannot see any other records for this
registration and call in logs.

FROM             TO          START           DURATION  STATUS
anon anon - xxx0 00930820128 2/23/10 6:43 AM 0 seconds Failed

Was this extension hacked? How can i protect my system from this kind of
things?

I attached sipregister logs.

nINVITE sip:00930820...@mysipserver.domain.tld SIP/2.0\r\nRecord-Route: <sip:xxxx.xxx.xxx.184:5060;lr>\r\nRoute: <sip:mysipserver.domain.tld:5070;transport=tcp;lr>\r\nVia: SIP/2.0/TCP xxxx.xxx.xxx.184;branch=z9hG4bK-sipXecs-1e9597ba381c76e013cb9185a37260f3500e\r\nVia: SIP/2.0/UDP 93.13.43.137:53899;branch=z9hG4bKF1E6158257655\r\nFrom: \"anon anon\" <sip:x...@mysipserver.domain.tld:53899>;tag=158257655\r\nTo: <sip:00930820...@mysipserver.domain.tld>\r\nCall-Id: 631aba8e-9d58-4609-87df-158257...@93.13.43.137\r\ncontact: <sip:x...@93.13.43.137:53899;x-sipX-nonat>\r\nCseq: 497 INVITE\r\nMax-Forwards: 20\r\nContent-Type: application/sdp\r\nUser-Agent: release 1105c\r\nContent-Length: 172\r\nDate: Tue, 23 Feb 2010 05:43:32 GMT\r\nX-Sipx-Spiral: true\r\n\r\nv=0\r\no=root 848892473 12345678 IN IP4 93.13.43.137\r\ns=session\r\nc=IN IP4 93.13.43.137\r\nt=0 0\r\nm=audio 53919 RTP/AVP 0\r\na=rtpmap:0 PCMA/8000\r\na=sendrecv\r\na=direction:active\r\n====================END===================="
"2010-02-23T05:43:32.420501Z":6334:OUTGOING:INFO:mysipserver.domain.tld:SipClientTcp-30:429BC940:SipRegistrar:"SipUserAgent::sendTcp TCP SIP User Agent sent message:\n----Remote Host:xxxx.xxx.xxx.184---- Port: 5060----\nSIP/2.0 100 Trying\r\nFrom: \"anon anon\" <sip:x...@mysipserver.domain.tld:53899>;tag=158257655\r\nTo: <sip:00930820...@mysipserver.domain.tld>\r\nCall-Id: 631aba8e-9d58-4609-87df-158257...@93.13.43.137\r\ncseq: 497 INVITE\r\nVia: SIP/2.0/TCP xxxx.xxx.xxx.184;branch=z9hG4bK-sipXecs-1e9597ba381c76e013cb9185a37260f3500e\r\nVia: SIP/2.0/UDP 93.13.43.137:53899;branch=z9hG4bKF1E6158257655\r\nRecord-Route: <sip:xxxx.xxx.xxx.184:5060;lr>\r\nContent-Length: 0\r\n\r\n--------------------END--------------------"
"2010-02-23T05:43:32.422084Z":6335:SIP:NOTICE:mysipserver.domain.tld:SipRedirectServer-13:403A1940:SipRegistrar:"ContactList::add(): [140-FALLBACK] SipRedirectorFallback added contact for 'sip:00930820...@mysipserver.domain.tld':\n   '<sip:00930820...@sipprovider.tld?route=xxxx.xxx.xxx.184%3a5090&expires=60>;q=0.9' (contact index 0)"
"2010-02-23T05:43:32.422276Z":6336:SIP:NOTICE:mysipserver.domain.tld:SipRedirectServer-13:403A1940:SipRegistrar:"ContactList::set(): [999-AUTHROUTER] SipRedirectorAuthRouter modified contact index 0 for 'sip:00930820...@mysipserver.domain.tld':\n   was:    '<sip:00930820...@sipprovider.tld?route=xxxx.xxx.xxx.184%3a5090&expires=60>;q=0.9'\n   now is: '<sip:00930820...@sipprovider.tld?expires=60&ROUTE=%3Csip%3Axxxx.xxx.xxx.184%3A5060%3Blr%3E%2Cxxxx.xxx.xxx.184%3A5090>;q=0.9'"
"2010-02-23T05:43:32.423003Z":6337:OUTGOING:INFO:mysipserver.domain.tld:SipRedirectServer-13:403A1940:SipRegistrar:"SipUserAgent::sendTcp TCP SIP User Agent sent message:\n----Remote Host:xxxx.xxx.xxx.184---- Port: 5060----\nSIP/2.0 302 Moved Temporarily\r\nFrom: \"anon anon\" <sip:x...@mysipserver.domain.tld:53899>;tag=158257655\r\nTo: <sip:00930820...@mysipserver.domain.tld>;tag=c86acbfd\r\nCall-Id: 631aba8e-9d58-4609-87df-158257...@93.13.43.137\r\ncseq: 497 INVITE\r\nVia: SIP/2.0/TCP xxxx.xxx.xxx.184;branch=z9hG4bK-sipXecs-1e9597ba381c76e013cb9185a37260f3500e\r\nVia: SIP/2.0/UDP 93.13.43.137:53899;branch=z9hG4bKF1E6158257655\r\nRecord-Route: <sip:xxxx.xxx.xxx.184:5060;lr>\r\nContact: <sip:00930820...@sipprovider.tld?expires=60&ROUTE=%3Csip%3Axxxx.xxx.xxx.184%3A5060%3Blr%3E%2Cxxxx.xxx.xxx.184%3A5090>;q=0.9\r\nUser-Agent: sipXecs/4.0.4 sipXecs/registry (Linux)\r\nDate: Tue, 23 Feb 2010 05:43:32 GMT\r\nAllow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, REGISTER, SUBSCRIBE\r\nAccept-Language: en\r\nSupported: gruu, path\r\nContent-Length: 0\r\n\r\n--------------------END--------------------"
"2010-02-23T05:43:32.424203Z":6338:INCOMING:INFO:mysipserver.domain.tld:SipClientTcp-30:429BC940:SipRegistrar:"Read SIP message:\n----Remote Host:xxxx.xxx.xxx.184---- Port: 37705----\nACK sip:00930820...@mysipserver.domain.tld SIP/2.0\r\nRoute: <sip:mysipserver.domain.tld:5070;transport=tcp;lr>\r\nContact: <sip:x...@93.13.43.137:53899;x-sipX-nonat>\r\nFrom: \"anon anon\" <sip:x...@mysipserver.domain.tld:53899>;tag=158257655\r\nTo: <sip:00930820...@mysipserver.domain.tld>;tag=c86acbfd\r\nCall-Id: 631aba8e-9d58-4609-87df-158257...@93.13.43.137\r\ncseq: 497 ACK\r\nMax-Forwards: 20\r\nVia: SIP/2.0/TCP xxxx.xxx.xxx.184;branch=z9hG4bK-sipXecs-1e9597ba381c76e013cb9185a37260f3500e\r\nContent-Length: 0\r\n\r\n====================END===================="

_______________________________________________
sipx-users mailing list sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
sipXecs IP PBX -- http://www.sipfoundry.org/

[sipx-users] Were we hacked?

Reply via email to