[Spce-user] server hacked

Matthew Ogden matthew at tenacit.net
Fri Apr 26 17:55:39 EDT 2013


Hi



My server has been hacked…. I’m not sure how.



There were no IPs/Users in Security bans.



Here is the proxy log, I’ve replaced my domain <mydomain>  and the real
client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.





root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log

Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs
for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
authorization not provisioned, allow registration - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller
preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts
successfully saved - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain>
ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f

Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=df4767364b3ca13b

Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs
for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
authorization not provisioned, allow registration - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller
preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts
successfully saved - R=sip:<my domain> ID=df4767364b3ca13b



Sincerely
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20130426/f7448b8a/attachment.html>


More information about the Spce-user mailing list