Discussion:
suspicious cdr history
Joe Conway
2012-10-28 15:59:12 UTC
Permalink
While looking through my CDR history I noticed the following two records
from yesterday afternoon.

From To Start
------- --------------- ----------------
5550000 011972599537676 10/27/12 3:17 PM

Duration Status
-------- ------
00:00:00 Failed

From To Start
------- --------------- ----------------
5550000 9011972599537676 10/27/12 3:18 PM
Duration Status
-------- ------
00:00:00 Failed

Is it safe to assume from those records that my system has been
compromised (I know that no legitimate calls were attempted in that time
frame, let alone international ones)?

Does the "From 5550000" provide any clue as to how the system was
compromised?

FWIW, I am running a very old version:
4.2.1-018971.21.0 2011-05-24T20:34:29 snowbird.hubler.us
Would upgrading plug some known hole that might be getting exploited here?

Thanks for any insights.

Joe
--
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
Michael Picher
2012-10-28 20:01:56 UTC
Permalink
No it's not safe to say it has been compromised.

If you have 5060 open to the world, you're bound to see these. As you can
see, both failed.

Mike
Post by Joe Conway
While looking through my CDR history I noticed the following two records
from yesterday afternoon.
From To Start
------- --------------- ----------------
5550000 011972599537676 10/27/12 3:17 PM
Duration Status
-------- ------
00:00:00 Failed
From To Start
------- --------------- ----------------
5550000 9011972599537676 10/27/12 3:18 PM
Duration Status
-------- ------
00:00:00 Failed
Is it safe to assume from those records that my system has been
compromised (I know that no legitimate calls were attempted in that time
frame, let alone international ones)?
Does the "From 5550000" provide any clue as to how the system was
compromised?
4.2.1-018971.21.0 2011-05-24T20:34:29 snowbird.hubler.us
Would upgrading plug some known hole that might be getting exploited here?
Thanks for any insights.
Joe
--
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square****

Suite 201****

Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and
those who don't.
Joe Conway
2012-10-28 20:19:04 UTC
Permalink
Post by Michael Picher
No it's not safe to say it has been compromised.
If you have 5060 open to the world, you're bound to see these. As you
can see, both failed.
Thanks for the reply -- makes me feel better :-)

I had never noticed anything like that before. I had seen that they
failed, but was concerned that they got as far as showing up in call
history and wasn't sure why they failed.

Joe
--
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
Michael Picher
2012-10-28 20:27:49 UTC
Permalink
Because you have a permission on the international dial plan (or have it
disabled) :-)
Post by Joe Conway
Post by Michael Picher
No it's not safe to say it has been compromised.
If you have 5060 open to the world, you're bound to see these. As you
can see, both failed.
Thanks for the reply -- makes me feel better :-)
I had never noticed anything like that before. I had seen that they
failed, but was concerned that they got as far as showing up in call
history and wasn't sure why they failed.
Joe
--
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square****

Suite 201****

Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and
those who don't.
Tony Graziano
2012-10-28 20:18:53 UTC
Permalink
It means port 5060 is open (I.e. for remote users). Callers need to
authenticate in order to make calls.

These are from scripts probing weak security. If the system was compromised
the status would not be failed.

This is mostly preventable at your firewall by closing 5060 if you don't
support remote users or using cps or country blocks for your firewall as
well as other methods to keep uninvited guests out.

This has been discussed many times on the list.
Post by Joe Conway
While looking through my CDR history I noticed the following two records
from yesterday afternoon.
From To Start
------- --------------- ----------------
5550000 011972599537676 10/27/12 3:17 PM
Duration Status
-------- ------
00:00:00 Failed
From To Start
------- --------------- ----------------
5550000 9011972599537676 10/27/12 3:18 PM
Duration Status
-------- ------
00:00:00 Failed
Is it safe to assume from those records that my system has been
compromised (I know that no legitimate calls were attempted in that time
frame, let alone international ones)?
Does the "From 5550000" provide any clue as to how the system was
compromised?
4.2.1-018971.21.0 2011-05-24T20:34:29 snowbird.hubler.us
Would upgrading plug some known hole that might be getting exploited here?
Thanks for any insights.
Joe
--
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
Loading...