> Hi again. Yesterday we changed the password for this user > that was compromised, but last nigh around 1 o'clock i see > that there were another tries to call through our system. > Something is really going wrong. As Tony explained this looks > like something related with sipxproxy. The only records that > i see for these requests are in sipregister.log and sipXproxy.log > > Something very interesting for me in the log records were the > following things. > > In several places i see that proxy returns to user: "Proxy > Authentication Required". But after several tries it looks to > me that user bypass authentication problem and make the call to To: > <sip:00930820...@mysipserver.domain.tld> and get Not Found Message.
If a malicious person discovered your sipXecs IP address and is publically reachable, then that person can send SIP INVITEs to your system all day long even without any users on your system being compromised. sipXecs will accept the INVITE, look at the called URI and try to route it. If it cannot map the URI to any destination using configured aliases, registration data or dialplans then a 404 Not Found gets sent back. On the other hand, if the URI maps to a destination, that sipXproxy will check whether that destination requires permissions. If it does, the caller will be challenged and that caller will only be able to successfully complete the call if it knows the credentials of a local SIP user that has the required permissions. If the call does not require any permissions, it will just go through. So, to make a long story short, based on your observations, nothing indicates that a user has been compromised. What is clear is that someone found your SIP Proxy in the network and is trying to use it to make expensive calls. These attempts to make such calls will fall so long as every dialplan in your sipXecs requires at least one permission and that SIP passwords for your users are non-trivial. > > This looks to me really that this user is able to do calls > and bypass somehow Proxy Authorization. How this can be? Is > sipXproxy has some security vulnerabilities? I blocked this > ip in firewall, but anyway i need to find a way to make this > more secure. > > How this user bypass proxy authorization (if it had bypassed)? > > How to protect my system from this? > > This extension is set on hard phone, so everything should be ok. > > I attach logs from sipregister and sipXproxy. > > On Tue, 2010-02-23 at 05:07 -0500, Tony Graziano wrote: > > that looks like a proxy log. the call is being initiated > from a user > > line, but the user is "xxx'd" out by you. > > > > > > Since the call is using TCP, my guess is that it is a > remote user or a > > user with softphone, and the user has been hacked. > > > > > > Since the user has to pass through the proxy credentials in > order to > > place a call, and if you feel the user has been compromised, you > > should remove the user or change the users credentials and have > > him/her get their system checked out before providing them with the > > credentials to authenticate. > > > > > > It is also possible a user changed their softphone > username/password > > to say "anon anon" and is trying to place the call. > > > > On Tue, Feb 23, 2010 at 4:38 AM, an...@iguanait.com > > <an...@iguanait.com> wrote: > > Hi again. We have installed sipxecs-4.0.4-017289 on > Centos 5. > > > > This morning i saw a very strange records in my sipregister > > logs. > > > > It looks that somebody is trying (or it registered > > successfully) > > register and make calls through our system with one of our > > extension. > > I checked on Call Details Records screen and i see that call > > to > > 00930820128 has failed. I cannot see any other records for > > this > > registration and call in logs. > > > > FROM TO START > DURATION STATUS > > anon anon - xxx0 00930820128 2/23/10 6:43 AM 0 > seconds Failed > > > > Was this extension hacked? How can i protect my system from > > this kind of > > things? > > > > I attached sipregister logs. > > > > _______________________________________________ > > sipx-users mailing list sipx-users@list.sipfoundry.org > > List Archive: http://list.sipfoundry.org/archive/sipx-users > > Unsubscribe: > > http://list.sipfoundry.org/mailman/listinfo/sipx-users > > sipXecs IP PBX -- http://www.sipfoundry.org/ > > > > > > > > -- > > ====================== > > Tony Graziano, Manager > > Telephone: 434.984.8430 > > Fax: 434.984.8431 > > > > Email: tgrazi...@myitdepartment.net > > > > LAN/Telephony/Security and Control Systems Helpdesk: > > Telephone: 434.984.8426 > > Fax: 434.984.8427 > > > > Helpdesk Contract Customers: > > http://www.myitdepartment.net/gethelp/ > > > > Why do mathematicians always confuse Halloween and Christmas? > > Because 31 Oct = 25 Dec. > > > > > > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
