[Freeswitch-users] Need help to stop this hack into FreeSwitch!

Yehavi Bourvine yehavi.bourvine at gmail.com
Tue May 20 21:51:27 MSD 2014


A slight clarification: +972 is Israel, and +970 is Paletine (Gaza & west
bank); however, at present 970 is an alias to 972.

The call you see is to +972-59xxxxx which is one of Palestine mobile
operators (Jawwal).

If you block 972 then you block all Israel. You can block +972-5[69]xxxxx
wich are the two Palestinian mobile operators.

                     Regards, __Yehavi:


2014-05-20 20:32 GMT+03:00 Lawrence Conroy <lconroy at insensate.co.uk>:

> Hi Mario,
>  +972 - Aha -- our friends in the Gaza Strip/Ramallah at work.
> Fail2Ban worked very nicely to deal with this excrescence for me.
>
> I assume that you do require authentication before calling out.
> outside_calling is being set, so it's certainly armed (i.e., the dialplan
> knows that this is a non-local call).
> Thus I'd guess fS drops the call as it skips any outcalling originate
> command.
>
> => Looks like you have a call in from what purports to be your ITSP with a
> destination number of +972... @ <your domain>, it hits 4003, and that
> context doesn't allow the call to proceed.
> So ... it's a nuisance, but at least it isn't costing you money.
>
> Is this what you're seeing? The dialplan is simply not allowing the
> outside_call to go anywhere when it's to an external number.
>
> all the best,
>   Lawrence
>
> On 20 May 2014, at 17:57, Mario G <mario_fs at mgtech.com> wrote:
> > Someone has gotten into my FreeSwitch, my firewall is set to only allow
> SIP traffic from my ITSP, and I added a rule to block the bad address but
> it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is
> making a call to me and trying to call out. I would really appreciate any
> ideas on what kind of general FW rule to add to prevent this, I don’t know
> what is going on. Next I’ll run PCAPs. I was thinking of a rule to block
> all outgoing SIP traffic except to the ITSP. Would appreciate help,
> especially an explanation of what they are trying to do in FS.
> > Mario G
> >
> > * Started May 19 8am, goes through all 7 sip accounts every 10 seconds
> > * Each time it starts at extension 1000, goes through all 7 accounts,
> then waits 10 seconds, the extension is incremented by 1 and goes through
> all 7 accounts, this repeats until finally stopping at extension 9010, then
> starts at a different time of day hours later.
> >
> > * My account is itsp1 and itsp2, there are 5 more but I cut them out to
> reduce this.
> > * 1.2.3.4 is my public wan address.
> > * They look like  85.25.198.253, but blocking that in the FW does not
> help. Odd since I have done that before and it worked.
> > * The "processing 4003 <4003>->+972592406392” is baffling.
> >
> > This is a short/reduced snippet from the log:
> > 2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel
> sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
> 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
> > 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
> 4003 at 1.2.3.4 entering state [received][100]
> > 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
> > v=0
> > o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
> > s=sipcli
> > c=IN IP4 85.25.198.253
> > t=0 0
> > m=audio 5075 RTP/AVP 18 0 8 101
> > a=rtpmap:18 G729/8000
> > a=rtpmap:0 PCMU/8000
> > a=rtpmap:8 PCMA/8000
> > a=rtpmap:101 telephone-event/8000
> > a=fmtp:101 0-15
> > a=ptime:20
> >
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec
> Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec
> Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set
> telephone-event payload to 101
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec
> sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/
> 4003 at 1.2.3.4 Original read codec set to PCMU:0
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833
> dtmf send/recv payload to 101
> > 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/
> 4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486
> (sofia/itsp1/4003 at 1.2.3.4) State NEW
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
> (sofia/itsp1/4003 at 1.2.3.4) State INIT
> > 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/
> 4003 at 1.2.3.4 SOFIA INIT
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40
> sofia/itsp1/4003 at 1.2.3.4 Standard INIT
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
> (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/
> 4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
> (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
> > 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/
> 4003 at 1.2.3.4 SOFIA ROUTING
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164
> sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
> > 2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003
> <4003>->+972592406392 in context public
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop]
> continue=false
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop]
> ${unroll_loops}(true) =~ /^true$/ break=on-false
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop]
> ${sip_looped_call}() =~ /^true$/ break=on-false
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call]
> continue=true
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action
> export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug]
> continue=true
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug]
> ${call_debug}(false) =~ /^true$/ break=never
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions]
> continue=false
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions]
> destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
> > ………. deleted lines
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did]
> destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did]
> continue=false
> > Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did]
> destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
> (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
> (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
> > 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/
> 4003 at 1.2.3.4 SOFIA EXECUTE
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256
> sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
> > EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
> > 2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/
> 4003 at 1.2.3.4 SET [outside_call]=[true]
> > EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014
> 17:02:23 -0700)
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT
> (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
> > 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313
> sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction,
> hanging up.
> > 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315
> Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [KILL]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
> (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
> > 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730
> (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
> (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
> > 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/
> 4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
> > 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE
> with: 480
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58
> sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
> (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
> (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102
> sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
> (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session
> 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
> > 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session
> 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
> > 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close
> Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618
> (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
> (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
> > 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/
> 4003 at 1.2.3.4 SOFIA DESTROY
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109
> sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
> > 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
> (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
> > 2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel
> sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
> > 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
> > 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
> signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> > 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
> 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
> > 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
> 4003 at 1.2.3.4 entering state [received][100]
> > 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
> > v=0
> > o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
> > s=sipcli
> > c=IN IP4 85.25.198.253
> > t=0 0
> > m=audio 5085 RTP/AVP 18 0 8 101
> > a=rtpmap:18 G729/8000
> > a=rtpmap:0 PCMU/8000
> > a=rtpmap:8 PCMA/8000
> > a=rtpmap:101 telephone-event/8000
> > a=fmtp:101 0-15
> > a=ptime:20
> >
> > 2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec
> Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> > 
> > 
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140520/8552495d/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list