<p dir="ltr">What was the client's endpoint? There was a Grandstream security issue where the admin password could be bypassed and the sip user credentials could be recovered. </p>
<p dir="ltr">Tim</p>
<div class="gmail_quot<blockquote class=" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-ZA" link="blue" vlink="purple"><div><p class="MsoNormal">Hi </p><p class="MsoNormal"> </p><p class="MsoNormal">
My server has been hacked…. I’m not sure how.</p><p class="MsoNormal">
</p><p class="MsoNormal">There were no IPs/Users in Security bans. </p><p class="MsoNormal"> </p><p class="MsoNormal">Here is the proxy log, I’ve replaced my domain <mydomain> and the real client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.</p>
<p class="MsoNormal"> </p><p class="MsoNormal"> </p><p class="MsoNormal">root@spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log</p><p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID=<a href="mailto:63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0" target="_blank">63eea6a11c3d3a0c7658f4016b7edf08@0.0.0.0</a></p>
<p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=ba701808665abe0f</p>
<p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=ba701808665abe0f</p><p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=ba701808665abe0f</p>
<p class="MsoNormal">Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f</p><p class="MsoNormal">Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=df4767364b3ca13b</p>
<p class="MsoNormal">Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: Authentication failed, no credentials - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my domain> IP=<a href="http://198.38.93.188:10053" target="_blank">198.38.93.188:10053</a> (<a href="http://127.0.0.1:5060" target="_blank">127.0.0.1:5060</a>) ID=df4767364b3ca13b</p>
<p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal">
Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP authorization not provisioned, allow registration - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b</p>
<p class="MsoNormal">Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts successfully saved - R=sip:<my domain> ID=df4767364b3ca13b</p><p class="MsoNormal"> </p><p class="MsoNormal">Sincerely<span></span></p>
<p class="MsoNormal"> </p></div></div>
<br>_______________________________________________<br>
Spce-user mailing list<br>
<a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><br>
<a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a><br>
<br></div>