[OpenSIPS-Users] Default install got hacked
Vincent Swart
vinceswart at gmail.com
Tue Jan 18 13:23:32 UTC 2022
First post!
So yesterday I installed the latest from Debian 10 repo and the latest cp
web app using a method similar to powerpbxdotorg howto.
I had 5060 open in my firewall, two user phones configured with strong
passwords, and a gateway with IP auth for termination.
Within 10 minutes calls were being placed via unauthenticated invites I
think.
I used the residential config script with a minor beginner destination
number pattern match difference:
https://pastebin.com/GPrMcWYK
if ($rU=~"^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+$") {
#if (dp_translate(10,"$rU/$rU") ) {
#strip(1);
The opensips log has a lot of this in it all the time:
Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]:
CRITICAL:db_mysql:wrapper_single_mysql_stmt_execute: driver error (1048):
Column 'to_tag' cannot be null
Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]: ERROR:acc:acc_db_request:
failed to insert into acc table
The illicit calls start in the log like this:
https://pastebin.com/mCNXqK7T
I can post the full log but it will take some time to sanitize.
Sip call ID links in CDR viewer show this: "Sorry , sip trace for this call
is unavailable."
There are also only 0 durations on all legs however they incurred duration
and billing on termination.
I'm fairly certain the calls were not placed via the user phone accounts
because of strong passwords.
My next steps are to disable the gateway and packet capture on the
interface to investigate illicit invites.
Where do I even start investigating how unauthenticated invites were placed
and prevent it in the opensips config?
Any suggestions would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220118/c2635c97/attachment.html>
More information about the Users
mailing list