Page 1 of 1

how to check if my server is hack?

PostPosted: Tue Nov 19, 2019 12:07 am
by xodiacx
Hi all,

Ealier today I receive a call from one of our VoIP Providers saying that we've made around $1000(AU/US not sure) worth of international calls, how can we check if we really made this call coming from our server? First off this provider is under talk and our company have not committed yet to their service because we can't make outgoing calls, all the time when making an outgoing calls this is the message appearing in asteriks cli:

"[Oct 10 16:13:06] -- Executing [976861386580543@default:2] Dial("SIP/999-00137154", "SIP/aatroxcommunications/61386580543") in new stack
[Oct 10 16:13:06] == Using SIP RTP CoS mark 5
[Oct 10 16:13:06] WARNING[13398][C-0047e583]: chan_sip.c:6276 sip_call: No audio format found to offer. Cancelling call to 61386580543
[Oct 10 16:13:06] -- Couldn't call SIP/aatroxcommunications/61386580543
[Oct 10 16:13:06] == Everyone is busy/congested at this time (0:0/0/0)"

Please badly need help in reviewing this, $1000 surely is a lot of money.

Re: how to check if my server is hack?

PostPosted: Sat Nov 23, 2019 6:52 am
by xodiacx
Hi

Can any one help?

Re: how to check if my server is hack?

PostPosted: Sat Nov 23, 2019 11:31 pm
by ambiorixg12
[Oct 10 16:13:06] WARNING[13398][C-0047e583]: chan_sip.c:6276 sip_call: No audio format found to offer. Cancelling call to 61386580543

Check the SDP dialog for the payload type ( you codec setting)

related to the source of the call you will need to check on the CDR in and the Asterisk logs the fraudulent numbers dialed, also you will find sip or iax2 account user and IP of the source

Re: how to check if my server is hack?

PostPosted: Tue Nov 26, 2019 3:55 pm
by williamconley
xodiacx wrote:Hi all,

Ealier today I receive a call from one of our VoIP Providers saying that we've made around $1000(AU/US not sure) worth of international calls, how can we check if we really made this call coming from our server? First off this provider is under talk and our company have not committed yet to their service because we can't make outgoing calls, all the time when making an outgoing calls this is the message appearing in asteriks cli:

"[Oct 10 16:13:06] -- Executing [976861386580543@default:2] Dial("SIP/999-00137154", "SIP/aatroxcommunications/61386580543") in new stack
[Oct 10 16:13:06] == Using SIP RTP CoS mark 5
[Oct 10 16:13:06] WARNING[13398][C-0047e583]: chan_sip.c:6276 sip_call: No audio format found to offer. Cancelling call to 61386580543
[Oct 10 16:13:06] -- Couldn't call SIP/aatroxcommunications/61386580543
[Oct 10 16:13:06] == Everyone is busy/congested at this time (0:0/0/0)"

Please badly need help in reviewing this, $1000 surely is a lot of money.

1) Welcome to the Party! 8-)

2) As you are obviously new here, I have some suggestions to help us all help you:

When you post, please post your entire configuration including (but not limited to) your installation method (7.X.X?) and vicidial version with build (VERSION: 2.X-XXXx ... BUILD: #####-####).

This IS a requirement for posting along with reading the stickies (at the top of each forum) and the manager's manual (available on EFLO.net, both free and paid versions)

You should also post: Asterisk version, telephony hardware (model number is helpful here), cluster information if you have one, and whether any other software is installed in the box. If your installation method is "manual/from scratch" you must post your operating system with version (and the .iso version from which you installed your original operating system) plus a link to the installation instructions you used. If your installation is "Hosted" list the site name of the host.

If this is a "Cloud" or "Virtual" server, please note the technology involved along with the version of that techology (ie: VMware Server Version 2.0.2). If it is not, merely stating the Motherboard model # and CPU would be helpful.

Similar to This:

Vicibox X.X from .iso | Vicidial X.X.X-XXX Build XXXXXX-XXXX | Asterisk X.X.X | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Intel DG35EC | Core2Quad Q6600

3) Stock installs will log all calls in the asteriskcdrdb and in the Vicidial call logs. More importantly: Your VOIP provider will have the IP of the originator of each call. If that IP is the IP of your Vicidial server, the odds are greatly in favor that your Vicidial logs will in fact match. If the IP address of the originator of those calls is NOT your Vicidial server, that's a different story entirely. If the VOIP provider is using a user/password authentication system instead of IP authentication, then the question remains how your user/pass came to be in the posession of someone else AND why they were not using IP authentication in the first place.

Good luck, sir!