On Wed, 2010-02-24 at 11:12 -0500, Robert Joly wrote: > > Hi again. Yesterday we changed the password for this user > > that was compromised, but last nigh around 1 o'clock i see > > that there were another tries to call through our system. > > Something is really going wrong. As Tony explained this looks > > like something related with sipxproxy. The only records that > > i see for these requests are in sipregister.log and sipXproxy.log > > > > Something very interesting for me in the log records were the > > following things. > > > > In several places i see that proxy returns to user: "Proxy > > Authentication Required". But after several tries it looks to > > me that user bypass authentication problem and make the call to To: > > <sip:00930820...@mysipserver.domain.tld> and get Not Found Message. > > If a malicious person discovered your sipXecs IP address and is > publically reachable, then that person can send SIP INVITEs to your > system all day long even without any users on your system being > compromised. sipXecs will accept the INVITE, look at the called URI and > try to route it. If it cannot map the URI to any destination using > configured aliases, registration data or dialplans then a 404 Not Found > gets sent back. On the other hand, if the URI maps to a destination, > that sipXproxy will check whether that destination requires permissions. > If it does, the caller will be challenged and that caller will only be > able to successfully complete the call if it knows the credentials of a > local SIP user that has the required permissions. If the call does not > require any permissions, it will just go through. > > So, to make a long story short, based on your observations, nothing > indicates that a user has been compromised. What is clear is that > someone found your SIP Proxy in the network and is trying to use it to > make expensive calls. These attempts to make such calls will fall so > long as every dialplan in your sipXecs requires at least one permission > and that SIP passwords for your users are non-trivial. >
For a checklist on how to make sure you don't pay for other peoples calls, see: http://wiki.sipfoundry.org/display/xecsuserV4r0/Securing+Calls+to+the+PSTN _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
