[Freeswitch-users] FS account got hacked **urgent**

Siju Nair siju.irs at gmail.com
Thu Mar 2 17:24:43 MSK 2017


Hi Brian,

Thanks for ur reply ... 

Yes on pulling CDR report I could see outbound calls to few locations setting up my DID as caller I'd. 

Sent from my iPhone

> On 01-Mar-2017, at 5:29 AM, Brian West <brian at freeswitch.org> wrote:
> 
> You can calm down, Do you have any proof you've been hacked?  This appears to be an SQL Injection attempt, I started seeing this yesterday!
> 
> Here is what I had in my logs and what the packet has in it:
> 
> 2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:687 a7c86b62-4dbf-4609-8bc2-3b6a38e2686a sofia/internal/‘hi'or‘x’='x'@190.10
> 2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_NEW] [WRONG_CALL_STATE]
> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730 Session 2 (sofia/internal/‘hi'or‘x’='x'@190.102.98.246) Ended
> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close Channel sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_DESTROY]
> 
> 
> 
>    INVITE sip:1259360048825408632 at 190.102.98.246 SIP/2.0
>    Via: SIP/2.0/UDP 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
>    Max-Forwards: 70
>    Contact: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254>;+sip.instance="<urn:uuid:4c5f3dc8-9f8a-4470-9b43-bd04fcd1634d>"
>    To: <sip:1259360048825408632 at 190.102.98.246>
>    From: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 190.102.98.246>;tag=UBAWADPX
>    Call-ID: OIERRISLMMBKZCIIUGWESXQM
>    CSeq: 1 INVITE
>    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO
>    Content-Type: application/sdp
>    Supported: replaces
>    User-Agent: Cisco-SIPGateway/IOS-12.x
>    Allow-Events: hold, talk, conference
>    Content-Length: 0
> 
> 
> I would like to dive deeper and see if anyone else has seen this, I had also seen it today in the FreeSWITCH hipchat channel.
> 
> /b
> 
> 
> 
>> On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <siju.irs at gmail.com> wrote:
>> Hi team ,
>> 
>> Please help on below query
>> 
>> Sent from my iPhone
>> 
>> > On 28-Feb-2017, at 3:59 PM, Siju Nair <siju.irs at gmail.com> wrote:
>> >
>> > Hi Team
>> >
>> > my account got hacked and attacked using my DID number as caller id and making calls via my FS server.
>> >
>> > in logs i could notice this sofia/external/'hi'or'x'='x' ... what does this mean and how can they set my did as caller id and make calls... Urgent help needed.
>> >
>> > Thanks,
>> > Siju Nair
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 
> 
> 
> -- 
> Brian West
> brian at freeswitch.org
> 
> Twitter: @FreeSWITCH , @briankwest
> 
> http://www.freeswitchbook.com 
> http://www.freeswitchcookbook.com
> 
> Allison prompts for FreeSWITCH:
> 
> https://www.gofundme.com/allison-prompts-for-freeswitch
> 
> Wish to schedule a meeting?
> 
> http://app.timebridge.com/#/meet/freeswitch
> 
> Got Bugs? Report them here! | Reddit: /r/freeswitch
> 
> T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
> Skype:briankwest
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170302/4ace2bd6/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list