Thanks a lot. Your explanation make me to feel happy now :) It is know clear to me whole scene.
Thanks again! On Wed, 2010-02-24 at 11:12 -0500, Robert Joly wrote: > > Hi again. Yesterday we changed the password for this user > > that was compromised, but last nigh around 1 o'clock i see > > that there were another tries to call through our system. > > Something is really going wrong. As Tony explained this looks > > like something related with sipxproxy. The only records that > > i see for these requests are in sipregister.log and sipXproxy.log > > > > Something very interesting for me in the log records were the > > following things. > > > > In several places i see that proxy returns to user: "Proxy > > Authentication Required". But after several tries it looks to > > me that user bypass authentication problem and make the call to To: > > <sip:00930820...@mysipserver.domain.tld> and get Not Found Message. > > If a malicious person discovered your sipXecs IP address and is > publically reachable, then that person can send SIP INVITEs to your > system all day long even without any users on your system being > compromised. sipXecs will accept the INVITE, look at the called URI and > try to route it. If it cannot map the URI to any destination using > configured aliases, registration data or dialplans then a 404 Not Found > gets sent back. On the other hand, if the URI maps to a destination, > that sipXproxy will check whether that destination requires permissions. > If it does, the caller will be challenged and that caller will only be > able to successfully complete the call if it knows the credentials of a > local SIP user that has the required permissions. If the call does not > require any permissions, it will just go through. > > So, to make a long story short, based on your observations, nothing > indicates that a user has been compromised. What is clear is that > someone found your SIP Proxy in the network and is trying to use it to > make expensive calls. These attempts to make such calls will fall so > long as every dialplan in your sipXecs requires at least one permission > and that SIP passwords for your users are non-trivial. > > > > > > This looks to me really that this user is able to do calls > > and bypass somehow Proxy Authorization. How this can be? Is > > sipXproxy has some security vulnerabilities? I blocked this > > ip in firewall, but anyway i need to find a way to make this > > more secure. > > > > How this user bypass proxy authorization (if it had bypassed)? > > > > How to protect my system from this? > > > > This extension is set on hard phone, so everything should be ok. > > > > I attach logs from sipregister and sipXproxy. > > > > On Tue, 2010-02-23 at 05:07 -0500, Tony Graziano wrote: > > > that looks like a proxy log. the call is being initiated > > from a user > > > line, but the user is "xxx'd" out by you. > > > > > > > > > Since the call is using TCP, my guess is that it is a > > remote user or a > > > user with softphone, and the user has been hacked. > > > > > > > > > Since the user has to pass through the proxy credentials in > > order to > > > place a call, and if you feel the user has been compromised, you > > > should remove the user or change the users credentials and have > > > him/her get their system checked out before providing them with the > > > credentials to authenticate. > > > > > > > > > It is also possible a user changed their softphone > > username/password > > > to say "anon anon" and is trying to place the call. > > > > > > On Tue, Feb 23, 2010 at 4:38 AM, an...@iguanait.com > > > <an...@iguanait.com> wrote: > > > Hi again. We have installed sipxecs-4.0.4-017289 on > > Centos 5. > > > > > > This morning i saw a very strange records in my sipregister > > > logs. > > > > > > It looks that somebody is trying (or it registered > > > successfully) > > > register and make calls through our system with one of our > > > extension. > > > I checked on Call Details Records screen and i see that call > > > to > > > 00930820128 has failed. I cannot see any other records for > > > this > > > registration and call in logs. > > > > > > FROM TO START > > DURATION STATUS > > > anon anon - xxx0 00930820128 2/23/10 6:43 AM 0 > > seconds Failed > > > > > > Was this extension hacked? How can i protect my system from > > > this kind of > > > things? > > > > > > I attached sipregister logs. > > > > > > _______________________________________________ > > > sipx-users mailing list sipx-users@list.sipfoundry.org > > > List Archive: http://list.sipfoundry.org/archive/sipx-users > > > Unsubscribe: > > > http://list.sipfoundry.org/mailman/listinfo/sipx-users > > > sipXecs IP PBX -- http://www.sipfoundry.org/ > > > > > > > > > > > > -- > > > ====================== > > > Tony Graziano, Manager > > > Telephone: 434.984.8430 > > > Fax: 434.984.8431 > > > > > > Email: tgrazi...@myitdepartment.net > > > > > > LAN/Telephony/Security and Control Systems Helpdesk: > > > Telephone: 434.984.8426 > > > Fax: 434.984.8427 > > > > > > Helpdesk Contract Customers: > > > http://www.myitdepartment.net/gethelp/ > > > > > > Why do mathematicians always confuse Halloween and Christmas? > > > Because 31 Oct = 25 Dec. > > > > > > > > > > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
