<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Brian,</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Thanks for ur reply ...&nbsp;</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Yes on pulling CDR report I could see outbound calls to few locations setting up my DID as caller I'd.&nbsp;<br><br>Sent from my iPhone</div><div><br>On 01-Mar-2017, at 5:29 AM, Brian West &lt;<a href="mailto:brian@freeswitch.org">brian@freeswitch.org</a>&gt; wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">You can calm down, Do you have any proof you've been hacked?&nbsp; This appears to be an SQL Injection attempt, I started seeing this yesterday!<div><br></div><div>Here is what I had in my logs and what the packet has in it:</div><div><br></div><div><div>2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:687 a7c86b62-4dbf-4609-8bc2-3b6a38e2686a sofia/internal/‘hi'or‘x’='x'@190.10</div><div>2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/internal/‘hi'or‘x’='<a href="mailto:x%27@190.102.98.246">x'@190.102.98.246</a> [CS_NEW] [WRONG_CALL_STATE]</div><div>2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730 Session 2 (sofia/internal/‘hi'or‘x’='<a href="mailto:x%27@190.102.98.246">x'@190.102.98.246</a>) Ended</div><div>2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close Channel sofia/internal/‘hi'or‘x’='<a href="mailto:x%27@190.102.98.246">x'@190.102.98.246</a> [CS_DESTROY]</div><div><br></div><div><br></div><div><br></div><div>&nbsp; &nbsp;INVITE <a href="mailto:sip%3A1259360048825408632@190.102.98.246">sip:1259360048825408632@190.102.98.246</a> SIP/2.0</div><div>&nbsp; &nbsp;Via: SIP/2.0/UDP 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport</div><div>&nbsp; &nbsp;Max-Forwards: 70</div><div>&nbsp; &nbsp;Contact: &lt;<a href="http://sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@62.210.245.31:41254">sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@62.210.245.31:41254</a>&gt;;+sip.instance="&lt;urn:uuid:4c5f3dc8-9f8a-4470-9b43-bd04fcd1634d&gt;"</div><div>&nbsp; &nbsp;To: &lt;<a href="mailto:sip%3A1259360048825408632@190.102.98.246">sip:1259360048825408632@190.102.98.246</a>&gt;</div><div>&nbsp; &nbsp;From: &lt;<a href="mailto:sip%3A%25e2%2580%2598hi%2527or%25e2%2580%2598x%25e2%2580%2599%253d%2527x%2527@190.102.98.246">sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27@190.102.98.246</a>&gt;;tag=UBAWADPX</div><div>&nbsp; &nbsp;Call-ID: OIERRISLMMBKZCIIUGWESXQM</div><div>&nbsp; &nbsp;CSeq: 1 INVITE</div><div>&nbsp; &nbsp;Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO</div><div>&nbsp; &nbsp;Content-Type: application/sdp</div><div>&nbsp; &nbsp;Supported: replaces</div><div>&nbsp; &nbsp;User-Agent: Cisco-SIPGateway/IOS-12.x</div><div>&nbsp; &nbsp;Allow-Events: hold, talk, conference</div><div>&nbsp; &nbsp;Content-Length: 0</div></div><div><br></div><div><br></div><div>I would like to dive deeper and see if anyone else has seen this, I had also seen it today in the FreeSWITCH hipchat channel.</div><div><br></div><div>/b</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <span dir="ltr">&lt;<a href="mailto:siju.irs@gmail.com" target="_blank">siju.irs@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi team ,<br>
<br>
Please help on below query<br>
<br>
Sent from my iPhone<br>
<div><div class="h5"><br>
&gt; On 28-Feb-2017, at 3:59 PM, Siju Nair &lt;<a href="mailto:siju.irs@gmail.com">siju.irs@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi Team<br>
&gt;<br>
&gt; my account got hacked and attacked using my DID number as caller id and making calls via my FS server.<br>
&gt;<br>
&gt; in logs i could notice this sofia/external/'hi'or'x'='x' ... what does this mean and how can they set my did as caller id and make calls... Urgent help needed.<br>
&gt;<br>
&gt; Thanks,<br>
&gt; Siju Nair<br>
<br>
</div></div>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">







<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p><p><b style="font-family:monospace,monospace;font-size:small"><i>Twitter: @FreeSWITCH , @briankwest</i></b></p><p><font size="2" face="monospace, monospace"><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a>&nbsp;<br><a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a><br><br>Allison prompts for FreeSWITCH:</font></p><table cellspacing="0" cellpadding="0" style="font-size:12.8px"><tbody><tr><td valign="baseline"><p><span><a href="https://www.gofundme.com/allison-prompts-for-freeswitch" target="_blank"><b>https://www.gofundme.com/allison-prompts-for-freeswitch</b></a></span></p></td></tr></tbody></table><table cellspacing="0" cellpadding="0"><tbody>
</tbody>
</table><p><span><font face="monospace, monospace" size="2">Wish to schedule a meeting?</font></span></p><p><span><a href="http://app.timebridge.com/#/meet/freeswitch" target="_blank"><font face="monospace, monospace" size="2">http://app.timebridge.com/#/meet/freeswitch</font></a></span></p><p><font face="monospace, monospace">Got Bugs? Report them <a href="https://freeswitch.org/jira" target="_blank">here</a>! | Reddit:&nbsp;<a href="https://www.reddit.com/r/freeswitch" target="_blank">/r/freeswitch</a></font></p>
<p><font size="2" face="monospace, monospace"><b>T:</b>+19184209001 | <b>F:</b>+19184209002 | <b>M:</b>+1918424WEST (9378)<br><b>Skype:</b>briankwest</font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
</div></blockquote><blockquote type="cite"><div><span>_________________________________________________________________________</span><br><span>Professional FreeSWITCH Consulting Services: </span><br><span><a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a></span><br><span><a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a></span><br><span></span><br><span>Official FreeSWITCH Sites</span><br><span><a href="http://www.freeswitch.org">http://www.freeswitch.org</a></span><br><span><a href="http://confluence.freeswitch.org">http://confluence.freeswitch.org</a></span><br><span><a href="http://www.cluecon.com">http://www.cluecon.com</a></span><br><span></span><br><span>FreeSWITCH-users mailing list</span><br><span><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a></span><br><span><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a></span><br><span>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a></span><br><span><a href="http://www.freeswitch.org">http://www.freeswitch.org</a></span></div></blockquote></body></html>