Results 1 to 5 of 5

Thread: Hacking attempts

  1. #1

    Default Hacking attempts

    Best wishes for a great 2011 to All and thanks for all the comments and suggestions last year!

    From the logs for "Unsuccessful Outgoing Calls" in Call Statistics, I was surprised that there were entries, potentially hacking ones, examples as follows. I don't appear to have observed these types of hacking entries before and the Quadro M8L has been locked down with no changes for some time.

    08-Jan-2011 07:37:04 "asterisk" <asterisk@91.203.41.6>(system/CR) 442073479999@sip.epygi.com "User Not Found"
    08-Jan-2011 07:37:04 "asterisk" <asterisk@91.203.41.6>(system/CR) 011442073479999@sip.epygi.com "User Not Found"


    22-Dec-2010 22:22:24 "asterisk" <asterisk@206.214.219.54>(system/CR) 82442073479999@sip.epygi.com "User Not Found"
    22-Dec-2010 22:22:24 "asterisk" <asterisk@206.214.219.54>(system/CR) **10442073479999@sip.epygi.com "User Not Found"
    22-Dec-2010 22:22:24 "asterisk" <asterisk@206.214.219.54>(system/CR) 10442073479999@sip.epygi.com "User Not Found"

    20-Dec-2010 02:56:47 "asterisk" <asterisk@67.205.89.121>(system/CR) 10442073479999@sip.epygi.com "User Not Found"

    Question:
    1. By inference, it looks like this user has obtained access but was unable to originate calls. User "asterisk" has never been defined on the Quadro, so how could this actually generate a unsuccessful call?
    2. How do I stop this type of hacking attempts? I can understand the unsuccessful registrations that we often see in the Events log but this is quite different as it seems that access to the system has been achieved (or not?)?
    3. These appear to be the epygi sip server registrations related transactions and if so, can a report and trace to the rouge system be made for this abuse and illegal activity?

    Comments and assistance much appreciated.

  2. #2

    Default

    At the first glance, since the "Filter on Source" is not enabled in your Call Routing records, the hacker tries to make a call through your Quadro trying all possible prefixes with the destination number.
    To protect your Quadro please follow the recomendations in the document at the link below:
    http://support.epygi.com/index.php?_...loaditemid=942
    If "Filter on Source" is not enabled, anybody may make a call though Quadro. In this case the registration is not needed. In your case the calls are received by Quadro and routied to sip.epygi.com and there the calls are rejected because Epygi's server doesn't connect the calls to destinations not registered on it.
    If you would enable the "Filter on Source" in Call Routing rule and set the source to "PBX" then the only way to make calls through that rule would be registering the call source on Quadro.

  3. #3

    Default

    Thanks. I checked and only entry was the default one automatically created for prefix '8' in CRT with no "Filter on Source". I have now updated this for 'PBX' Filter on Source.

    For my better understanding, when you say, "the hacker tries to make a call through your Quadro trying all possible prefixes with the destination number", I am assuming that the user 'asterisk' made a SIP call and it was processed by the Quadro. With no match in the Extension table, it was processed by CRT and this open entry with prefix '8' allowed the call to take place but failed eventually at sip.epygi.com.

    So with 'Filter on Source' set to "PBX" now, any such attempt would fail in the CRT.

    Is this correct?

  4. #4

    Default

    I checked and only entry was the default one automatically created for prefix '8' in CRT with no "Filter on Source". I have now updated this for 'PBX' Filter on Source.
    >>>>>>>>>>>>>>>>>
    that's fine, if only that record. It is created automatically by Quadro and not restricted to calls from PBX extensions because any call to sip.epygi.com is free. Even if somebody calls via that record, your Quadro will not be charged.
    >>>>>>>>>>>>>>>>>>
    "the hacker tries to make a call through your Quadro trying all possible prefixes with the destination number",
    >>>>>>>>>>>>>>>.
    I mean the hacker was trying to call to 442073479999, probably UK number. First he tried to dial that number without any prefix. When it failed he tried with prefix 011, 82 and so on.
    >>>>>>>>>>>>>>>>>>>>.
    With no match in the Extension table, it was processed by CRT and this open entry with prefix '8' allowed the call to take place but failed eventually at sip.epygi.com.
    >>>>>>>>>>>>>>>>>>>..
    The call with prefix "8" went to sip.epygi.com and rejected there. The calls with prefixes other than "8" were rejected on CRT level. Regardless of who rejected the call, you will see "User Not Found" in the call statistics on Quadro
    >>>>>>>>>>>>>>>>>>>>
    So with 'Filter on Source' set to "PBX" now, any such attempt would fail in the CRT.
    >>>>>>>>>>>>>>>>>>>>
    that's right

  5. #5

    Default

    Many thanks for the details and this is helpful to reinforce my understanding and perhaps other users.

    It looks like the hackers understand the default prefix '8' that is created on installation is unprotected and are trying to explore an illegal opportunity. I am changing that default prefix '8' value now even though the sip.epygi.com calls are 'free'.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Hacker attempts
    By KSComs in forum General Discussions
    Replies: 51
    Last Post: 01-21-2011, 01:12 PM
  2. Hacking E1 Quadro
    By voztelecom in forum Troubleshooting and Problems
    Replies: 3
    Last Post: 01-17-2011, 04:43 AM
  3. System Event Log does not report Failed login attempts
    By davidreddington in forum Troubleshooting and Problems
    Replies: 1
    Last Post: 03-04-2010, 01:57 PM
  4. Quadro Hacking
    By Epygi-Mystream in forum Troubleshooting and Problems
    Replies: 2
    Last Post: 11-04-2008, 04:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •