<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Creepy!</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">You can allways block the IP with iptables.. but that obviously will not solve the problem.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I´m very new at this, but: </div><div style="font-family:arial,sans-serif;font-size:13px"><br></div>
<div style="font-family:arial,sans-serif;font-size:13px">1) have you tried limiting the IP addresses of your suscribers? Are they dynamic?</div><div style="font-family:arial,sans-serif;font-size:13px">2) Did you look at other logs? /var/log/auth.conf /var/log/messages to seek for other vectors of attack?</div>
<div style="font-family:arial,sans-serif;font-size:13px">3) Have you tried using mysql injection on the ngcp web sites?, i´m sure the sipwise folks did not miss something as essential as this, but it´s worth a try.</div><div style="font-family:arial,sans-serif;font-size:13px">
4) are your sip passwords strong enought?</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I would take it from there.</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">Regards</div><div style="font-family:arial,sans-serif;font-size:13px">Pedro </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 26, 2013 at 4:55 PM, Matthew Ogden <span dir="ltr"><<a href="mailto:matthew@tenacit.net" target="_blank">matthew@tenacit.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-ZA" link="blue" vlink="purple"><div><p class="MsoNormal">Hi </p><p class="MsoNormal"> </p><p class="MsoNormal">
My server has been hacked…. I’m not sure how.</p><p class="MsoNormal">
</p><p class="MsoNormal">There were no IPs/Users in Security bans. </p><p class="MsoNormal"> </p><p class="MsoNormal">Here is the proxy log, I’ve replaced my domain <mydomain> and the real client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.</p>
<p class="MsoNormal"> </p><p class="MsoNormal"> </p><p class="MsoNormal">root@spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log</p><p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=ba701808665abe0f</p>
<p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=ba701808665abe0f</p><p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=ba701808665abe0f</p>
<p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f</p><p class="MsoNormal">Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=df4767364b3ca13b</p>
<p class="MsoNormal">Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=df4767364b3ca13b</p>
<p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal">
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b</p>
<p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal"> </p><p class="MsoNormal">Sincerely<span></span></p>
<p class="MsoNormal"> </p></div></div>
<br>_______________________________________________<br>
Spce-user mailing list<br>
<a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><br>
<a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a><br>
<br></blockquote></div><br></div>