OXE HACKED BY INTERNET

[jpissot]

Hello,

Yesterday, I ve authorized acess of my Oxe R11 to the Internet world. I ve also configured a redirection of the port 5060 to the OXE. Because, I would like to test public SIP trunk but, for the moment, I ve not configured the External gateway. I ve only a local sip gateway configured for my sip phones and for the link with my otms.

This morning, I discover that you have received a lot of calls by the trunk sip (9500 calls). The calling number is 0100 and the call type is PrivateNetworkIncomingCall (on accounting ticket)
On accouting ticket, I find also outgoing calls by my T2 trunk to internationals number (macedonia, israel, ...). The call type is ISDNCircuitSwitchedCall.

Do you know how the kackers get through my trunk sip to calls by my ISDN trunk. For information, the operatrice phone had a lot of calls of 0100.


Example of tickets :
----[/DHS3dyn/account/TAXADJDD.DAT : Ticket number 601/601/607]-----------------
(00) TicketVersion = ED5.2 (01) CalledNumber = 0100
(02) ChargedNumber = FS110 (03) ChargedUserName = SIP
(04) ChargedCostCenter = (05) ChargedCompany =
(06) ChargedPartyNode = 103 (07) Subaddress =
(08) CallingNumber =
(09) CallType = PrivateNetworkIncomingCall
(10) CostType = Unspecified (11) EndDateTime = 20140801 07:27:54
(12) ChargeUnits = 0 (13) CostInfo = 0
(14) Duration = 0 (15) TrunkIdentity = 629
(16) TrunkGroupIdentity = 110 (17) TrunkNode = 103
(18) PersonalOrBusiness = Normal (19) AccessCode =
(20) SpecificChargeInfo = (21) BearerCapability = Speech
(22) HighLevelComp = Telephony (23) DataVolume = 0
(24) UserToUserVolume = 0 (25) ExternFacilities =
(26) InternFacilities = OperatorFacility
(27) CallReference = 0 (28) SegmentsRate1 = 0
(29) SegmentsRate2 = 0 (30) SegmentsRate3 = 0
(31) ComType = Voice (32) X25IncomingFlowRate = Unspecified
(33) X25OutgoingFlowRate = Unspecified (34) Carrier = 0
(35) InitialDialledNumber = 00393199 (36) WaitingDuration = 1
(37) EffectiveCallDuration = 0 (38) RedirectedCallIndicator = 1
(39) StartDateTime = 20140801 07:27:54 (40) ActingExtensionNumber =
(41) CalledNumberNode = 9999 (42) CallingNumberNode = 9999
(43) InitialDialledNumberNode = 9999 (44) ActingExtensionNumberNode = 9999
(45) TransitTrunkGroupIdentity = 32767 (46) NodeTimeOffset = 0
(47) TimeDlt = 0

----[/DHS3dyn/account/TAXADJDD.DAT : Ticket number 602/602/607]-----------------
(00) TicketVersion = ED5.2 (01) CalledNumber = 00393199053246
(02) ChargedNumber = FS110 (03) ChargedUserName = SIP
(04) ChargedCostCenter = (05) ChargedCompany =
(06) ChargedPartyNode = 103 (07) Subaddress =
(08) CallingNumber = (09) CallType = Unspecified
(10) CostType = ISDNCircuitSwitchedCall (11) EndDateTime = 20140801 07:27:54
(12) ChargeUnits = 0 (13) CostInfo = 0
(14) Duration = 0 (15) TrunkIdentity = 4
(16) TrunkGroupIdentity = 100 (17) TrunkNode = 103
(18) PersonalOrBusiness = Normal (19) AccessCode =
(20) SpecificChargeInfo = (21) BearerCapability = Speech
(22) HighLevelComp = Telephony (23) DataVolume = 0
(24) UserToUserVolume = 0
(25) ExternFacilities = CallingLineIdentificationPresentation
(26) InternFacilities = Transit ARSService
(27) CallReference = 0 (28) SegmentsRate1 = 0
(29) SegmentsRate2 = 0 (30) SegmentsRate3 = 0
(31) ComType = Voice (32) X25IncomingFlowRate = Unspecified
(33) X25OutgoingFlowRate = Unspecified (34) Carrier = 0
(35) InitialDialledNumber = 00393199053246
(36) WaitingDuration = 0 (37) EffectiveCallDuration = 0
(38) RedirectedCallIndicator = 0 (39) StartDateTime = 20140801 07:27:54
(40) ActingExtensionNumber = (41) CalledNumberNode = 9999
(42) CallingNumberNode = 9999 (43) InitialDialledNumberNode = 9999
(44) ActingExtensionNumberNode = 9999 (45) TransitTrunkGroupIdentity = 32767
(46) NodeTimeOffset = 0 (47) TimeDlt = 0

----[/DHS3dyn/account/TAXADJDD.DAT : Ticket number 603/603/607]-----------------
(00) TicketVersion = ED5.2 (01) CalledNumber = 00393199053246
(02) ChargedNumber = FS110 (03) ChargedUserName = SIP
(04) ChargedCostCenter = (05) ChargedCompany =
(06) ChargedPartyNode = 103 (07) Subaddress =
(08) CallingNumber = (09) CallType = Unspecified
(10) CostType = ISDNCircuitSwitchedCall (11) EndDateTime = 20140801 07:28:03
(12) ChargeUnits = 0 (13) CostInfo = 0
(14) Duration = 0 (15) TrunkIdentity = 6
(16) TrunkGroupIdentity = 100 (17) TrunkNode = 103
(18) PersonalOrBusiness = Normal (19) AccessCode =
(20) SpecificChargeInfo = (21) BearerCapability = Speech
(22) HighLevelComp = Telephony (23) DataVolume = 0
(24) UserToUserVolume = 0
(25) ExternFacilities = CallingLineIdentificationPresentation
(26) InternFacilities = Transit ARSService
(27) CallReference = 0 (28) SegmentsRate1 = 0
(29) SegmentsRate2 = 0 (30) SegmentsRate3 = 0
(31) ComType = Voice (32) X25IncomingFlowRate = Unspecified
(33) X25OutgoingFlowRate = Unspecified (34) Carrier = 0
(35) InitialDialledNumber = 00393199053246
(36) WaitingDuration = 0 (37) EffectiveCallDuration = 0
(38) RedirectedCallIndicator = 0 (39) StartDateTime = 20140801 07:28:03
(40) ActingExtensionNumber = (41) CalledNumberNode = 9999
(42) CallingNumberNode = 9999 (43) InitialDialledNumberNode = 9999
(44) ActingExtensionNumberNode = 9999 (45) TransitTrunkGroupIdentity = 32767
(46) NodeTimeOffset = 0 (47) TimeDlt = 0

----[/DHS3dyn/account/TAXADJDD.DAT : Ticket number 604/604/607]-----------------
(00) TicketVersion = ED5.2 (01) CalledNumber = 0023221101438
(02) ChargedNumber = FS110 (03) ChargedUserName = SIP
(04) ChargedCostCenter = (05) ChargedCompany =
(06) ChargedPartyNode = 103 (07) Subaddress =
(08) CallingNumber = (09) CallType = Unspecified
(10) CostType = ISDNCircuitSwitchedCall (11) EndDateTime = 20140801 07:28:16
(12) ChargeUnits = 0 (13) CostInfo = 0
(14) Duration = 0 (15) TrunkIdentity = 6
(16) TrunkGroupIdentity = 100 (17) TrunkNode = 103
(18) PersonalOrBusiness = Normal (19) AccessCode =
(20) SpecificChargeInfo = (21) BearerCapability = Speech
(22) HighLevelComp = Telephony (23) DataVolume = 0
(24) UserToUserVolume = 0
(25) ExternFacilities = CallingLineIdentificationPresentation
(26) InternFacilities = Transit ARSService
(27) CallReference = 0 (28) SegmentsRate1 = 0
(29) SegmentsRate2 = 0 (30) SegmentsRate3 = 0
(31) ComType = Voice (32) X25IncomingFlowRate = Unspecified
(33) X25OutgoingFlowRate = Unspecified (34) Carrier = 0
(35) InitialDialledNumber = 0023221101438
(36) WaitingDuration = 0 (37) EffectiveCallDuration = 0
(38) RedirectedCallIndicator = 0 (39) StartDateTime = 20140801 07:28:16
(40) ActingExtensionNumber = (41) CalledNumberNode = 9999
(42) CallingNumberNode = 9999 (43) InitialDialledNumberNode = 9999
(44) ActingExtensionNumberNode = 9999 (45) TransitTrunkGroupIdentity = 32767
(46) NodeTimeOffset = 0 (47) TimeDlt = 0

I have delete the redirection of the port 5060 and since I

[cavagnaro]

Lol...so...firewall? neee .... SBC?? nee.....activate security on SIP?? Neeee...
There are thousands of hackers everyday scanning for port 5060...the most obvious one...
Get a security expert consultant to advice you how to put your OXE on internet. First step...just don't.

[tgn]

hehe... some times ago, i've placed an debian-asterisk installation with port 5060 in the internet world.... after this i've got an default-password list in my log-file. the initiator was an ip address from china... but ha has no sucess

thats why i say never do connect an oxe system without an sbc...

regards...