<div dir="ltr">You can calm down, Do you have any proof you&#39;ve been hacked?  This appears to be an SQL Injection attempt, I started seeing this yesterday!<div><br></div><div>Here is what I had in my logs and what the packet has in it:</div><div><br></div><div><div>2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:687 a7c86b62-4dbf-4609-8bc2-3b6a38e2686a sofia/internal/‘hi&#39;or‘x’=&#39;x&#39;@190.10</div><div>2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/internal/‘hi&#39;or‘x’=&#39;<a href="mailto:x%27@190.102.98.246">x&#39;@190.102.98.246</a> [CS_NEW] [WRONG_CALL_STATE]</div><div>2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730 Session 2 (sofia/internal/‘hi&#39;or‘x’=&#39;<a href="mailto:x%27@190.102.98.246">x&#39;@190.102.98.246</a>) Ended</div><div>2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close Channel sofia/internal/‘hi&#39;or‘x’=&#39;<a href="mailto:x%27@190.102.98.246">x&#39;@190.102.98.246</a> [CS_DESTROY]</div><div><br></div><div><br></div><div><br></div><div>   INVITE <a href="mailto:sip%3A1259360048825408632@190.102.98.246">sip:1259360048825408632@190.102.98.246</a> SIP/2.0</div><div>   Via: SIP/2.0/UDP 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport</div><div>   Max-Forwards: 70</div><div>   Contact: &lt;<a href="http://sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@62.210.245.31:41254">sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@62.210.245.31:41254</a>&gt;;+sip.instance=&quot;&lt;urn:uuid:4c5f3dc8-9f8a-4470-9b43-bd04fcd1634d&gt;&quot;</div><div>   To: &lt;<a href="mailto:sip%3A1259360048825408632@190.102.98.246">sip:1259360048825408632@190.102.98.246</a>&gt;</div><div>   From: &lt;<a href="mailto:sip%3A%25e2%2580%2598hi%2527or%25e2%2580%2598x%25e2%2580%2599%253d%2527x%2527@190.102.98.246">sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@190.102.98.246</a>&gt;;tag=UBAWADPX</div><div>   Call-ID: OIERRISLMMBKZCIIUGWESXQM</div><div>   CSeq: 1 INVITE</div><div>   Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO</div><div>   Content-Type: application/sdp</div><div>   Supported: replaces</div><div>   User-Agent: Cisco-SIPGateway/IOS-12.x</div><div>   Allow-Events: hold, talk, conference</div><div>   Content-Length: 0</div></div><div><br></div><div><br></div><div>I would like to dive deeper and see if anyone else has seen this, I had also seen it today in the FreeSWITCH hipchat channel.</div><div><br></div><div>/b</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <span dir="ltr">&lt;<a href="mailto:siju.irs@gmail.com" target="_blank">siju.irs@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi team ,<br>
<br>
Please help on below query<br>
<br>
Sent from my iPhone<br>
<div><div class="h5"><br>
&gt; On 28-Feb-2017, at 3:59 PM, Siju Nair &lt;<a href="mailto:siju.irs@gmail.com">siju.irs@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi Team<br>
&gt;<br>
&gt; my account got hacked and attacked using my DID number as caller id and making calls via my FS server.<br>
&gt;<br>
&gt; in logs i could notice this sofia/external/&#39;hi&#39;or&#39;x&#39;=&#39;x&#39; ... what does this mean and how can they set my did as caller id and make calls... Urgent help needed.<br>
&gt;<br>
&gt; Thanks,<br>
&gt; Siju Nair<br>
<br>
</div></div>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">







<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p><p><b style="font-family:monospace,monospace;font-size:small"><i>Twitter: @FreeSWITCH , @briankwest</i></b></p><p><font size="2" face="monospace, monospace"><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a> <br><a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a><br><br>Allison prompts for FreeSWITCH:</font></p><table cellspacing="0" cellpadding="0" style="font-size:12.8px"><tbody><tr><td valign="baseline"><p><span><a href="https://www.gofundme.com/allison-prompts-for-freeswitch" target="_blank"><b>https://www.gofundme.com/allison-prompts-for-freeswitch</b></a></span></p></td></tr></tbody></table><table cellspacing="0" cellpadding="0"><tbody>
</tbody>
</table><p><span><font face="monospace, monospace" size="2">Wish to schedule a meeting?</font></span></p><p><span><a href="http://app.timebridge.com/#/meet/freeswitch" target="_blank"><font face="monospace, monospace" size="2">http://app.timebridge.com/#/meet/freeswitch</font></a></span></p><p><font face="monospace, monospace">Got Bugs? Report them <a href="https://freeswitch.org/jira" target="_blank">here</a>! | Reddit: <a href="https://www.reddit.com/r/freeswitch" target="_blank">/r/freeswitch</a></font></p>
<p><font size="2" face="monospace, monospace"><b>T:</b>+19184209001 | <b>F:</b>+19184209002 | <b>M:</b>+1918424WEST (9378)<br><b>Skype:</b>briankwest</font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>