<div dir="ltr">yea man, Im seeing the exact same thing.<div>from the same IP actually.</div><div><br></div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">INVITE <a href="mailto:sip%3A0008148825408632@180.214.68.115">sip:0008148825408632@180.214.68.115</a> SIP/2.0</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Via: SIP/2.0/UDP 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Max-Forwards: 70</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Contact: <<a href="http://sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@62.210.245.31:41254">sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@62.210.245.31:41254</a>>;+sip.instance="<urn:uuid:f6d7a08c-d1d0-4bb1-9f09-01d032f62c38>"</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">To: <<a href="mailto:sip%3A0008148825408632@180.214.68.115">sip:0008148825408632@180.214.68.115</a>></pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">From: <<a href="mailto:sip%3A%25e2%2580%2598hi%2527or%25e2%2580%2598x%25e2%2580%2599%253d%2527x%2527@180.214.68.115">sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@180.214.68.115</a>>;tag=LNDMJRRH</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Call-ID: XXINXNMLKORRQSRCIOPQFLZM</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">CSeq: 1 INVITE</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Content-Type: application/sdp</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Supported: replaces</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">User-Agent: Cisco-SIPGateway/IOS-12.x</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Allow-Events: hold, talk, conference</pre></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;box-sizing:border-box;color:rgb(0,0,0);font-size:11px">Content-Length: 0</pre></div></blockquote><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 1 March 2017 at 09:59, Brian West <span dir="ltr"><<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">You can calm down, Do you have any proof you've been hacked? This appears to be an SQL Injection attempt, I started seeing this yesterday!<div><br></div><div>Here is what I had in my logs and what the packet has in it:</div><div><br></div><div><div>2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:<wbr>687 a7c86b62-4dbf-4609-8bc2-<wbr>3b6a38e2686a sofia/internal/‘hi'or‘x’='x'@<wbr>190.10</div><div>2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE] switch_core_state_machine.c:<wbr>690 Hangup sofia/internal/‘hi'or‘x’='<a href="mailto:x%27@190.102.98.246" target="_blank">x'@<wbr>190.102.98.246</a> [CS_NEW] [WRONG_CALL_STATE]</div><div>2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730 Session 2 (sofia/internal/‘hi'or‘x’='<a href="mailto:x%27@190.102.98.246" target="_blank">x'@<wbr>190.102.98.246</a>) Ended</div><div>2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close Channel sofia/internal/‘hi'or‘x’='<a href="mailto:x%27@190.102.98.246" target="_blank">x'@<wbr>190.102.98.246</a> [CS_DESTROY]</div><div><br></div><div><br></div><div><br></div><div> INVITE <a href="mailto:sip%3A1259360048825408632@190.102.98.246" target="_blank">sip:1259360048825408632@190.<wbr>102.98.246</a> SIP/2.0</div><div> Via: SIP/2.0/UDP 62.210.245.31:41254;branch=<wbr>z9hG4bK-524287-1---<wbr>321bda12cf15b137;rport</div><div> Max-Forwards: 70</div><div> Contact: <<a href="http://sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@62.210.245.31:41254" target="_blank">sip:%e2%80%98hi%27or%e2%80%<wbr>98x%e2%80%99%3d%27x%27@62.210.<wbr>245.31:41254</a>>;+sip.instance="<<wbr>urn:uuid:4c5f3dc8-9f8a-4470-<wbr>9b43-bd04fcd1634d>"</div><div> To: <<a href="mailto:sip%3A1259360048825408632@190.102.98.246" target="_blank">sip:1259360048825408632@190.<wbr>102.98.246</a>></div><div> From: <<a href="mailto:sip%3A%25e2%2580%2598hi%2527or%25e2%2580%2598x%25e2%2580%2599%253d%2527x%2527@190.102.98.246" target="_blank">sip:%e2%80%98hi%27or%e2%80%<wbr>98x%e2%80%99%3d%27x%27@190.<wbr>102.98.246</a>>;tag=UBAWADPX</div><div> Call-ID: OIERRISLMMBKZCIIUGWESXQM</div><div> CSeq: 1 INVITE</div><div> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO</div><div> Content-Type: application/sdp</div><div> Supported: replaces</div><div> User-Agent: Cisco-SIPGateway/IOS-12.x</div><div> Allow-Events: hold, talk, conference</div><div> Content-Length: 0</div></div><div><br></div><div><br></div><div>I would like to dive deeper and see if anyone else has seen this, I had also seen it today in the FreeSWITCH hipchat channel.</div><div><br></div><div>/b</div><div><br></div><div><br></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <span dir="ltr"><<a href="mailto:siju.irs@gmail.com" target="_blank">siju.irs@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi team ,<br>
<br>
Please help on below query<br>
<br>
Sent from my iPhone<br>
<div><div class="m_-1108704319373357707h5"><br>
> On 28-Feb-2017, at 3:59 PM, Siju Nair <<a href="mailto:siju.irs@gmail.com" target="_blank">siju.irs@gmail.com</a>> wrote:<br>
><br>
> Hi Team<br>
><br>
> my account got hacked and attacked using my DID number as caller id and making calls via my FS server.<br>
><br>
> in logs i could notice this sofia/external/'hi'or'x'='x' ... what does this mean and how can they set my did as caller id and make calls... Urgent help needed.<br>
><br>
> Thanks,<br>
> Siju Nair<br>
<br>
</div></div>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/<wbr>freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div>-- <br><div class="m_-1108704319373357707gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p><p><b style="font-family:monospace,monospace;font-size:small"><i>Twitter: @FreeSWITCH , @briankwest</i></b></p><p><font size="2" face="monospace, monospace"><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a> <br><a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.<wbr>com</a><br><br>Allison prompts for FreeSWITCH:</font></p><table cellspacing="0" cellpadding="0" style="font-size:12.8px"><tbody><tr><td valign="baseline"><p><span><a href="https://www.gofundme.com/allison-prompts-for-freeswitch" target="_blank"><b>https://www.gofundme.com/<wbr>allison-prompts-for-freeswitch</b></a></span></p></td></tr></tbody></table><table cellspacing="0" cellpadding="0"><tbody>
</tbody>
</table><p><span><font face="monospace, monospace" size="2">Wish to schedule a meeting?</font></span></p><p><span><a href="http://app.timebridge.com/#/meet/freeswitch" target="_blank"><font face="monospace, monospace" size="2">http://app.timebridge.com/#/<wbr>meet/freeswitch</font></a></span></p><p><font face="monospace, monospace">Got Bugs? Report them <a href="https://freeswitch.org/jira" target="_blank">here</a>! | Reddit: <a href="https://www.reddit.com/r/freeswitch" target="_blank">/r/freeswitch</a></font></p>
<p><font size="2" face="monospace, monospace"><b>T:</b><a href="tel:+1%20918-420-9001" value="+19184209001" target="_blank">+19184209001</a> | <b>F:</b><a href="tel:+1%20918-420-9002" value="+19184209002" target="_blank">+19184209002</a> | <b>M:</b>+1918424WEST (9378)<br><b>Skype:</b>briankwest</font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Sincerely<br><br>Jay</div>
</div>