[Freeswitch-users] spa8000 hack

fs fs at voice2net.ca
Mon Sep 30 18:24:57 MSD 2013 

Thanks for the reply, the first thing I checked was the call forward on all lines and trunks, nada.  I made test calls into every port, it rang thru, so not sure.  My next step is to get a tshark of everything in and out of the network.  This is a voip only dsl so it should be easy to do.

As an interim, we have instituted a pin number for overseas calls with a disable on 4 errors.  .

Thanks again.
Darcy



199.187156 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL2.DEBUG: M0: SDP RTPMAP 100 --> 255\n
199.188847 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL2.DEBUG: M0: SDP RTPMAP 101 --> 136\n
199.190438 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [BCC]CallRoute:L1,2,3,401137744616847\n
199.191655 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [BCC]CallRoute:L1,2,3,401137744616847\n
199.199951 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: pri-->INVITE-->pub\n
199.200916 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: pri-->INVITE-->pub\n
199.202721 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL2.DEBUG: M0: Calling:01137744616847 at my.company.ca:0\n
199.215750 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]->xx.xxx.xxx.14:5060(985)\n
199.217288 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]->xx.xxx.xxx.14:5060(985)\n
199.228906 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog INVITE sip:01137744616847 at my.company.ca SIP/2.0\r\nVia: SIP/2.0/UDP xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609\r\nFrom: "ivory dental" <sip:6132161111 at my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo: <sip:01137744616847 at my.company.ca>\r\nRemote-Party-ID: "ivory dental" <sip:6132161111 at my.company.ca>;screen=yes;party=calling\r\nCall-ID: 95840519-118b3537 at xx.xxx.xxx.41\r\nCSeq: 101 INVITE\r\nMax-Forwards: 70\r\nContact: "ivory dental" <sip:6132161111 at xx.xxx.xxx.41:16598>\r\nExpires: 240\r\nUser-Agent: Linksys/SPA8000-6.1.12\r\nAllow-Events: talk, hold, conference\r\nContent-Length: 265\r\nAllow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER\r\nSupported: x-sipura, replaces\r\nContent-Type: application/sdp\r\n\r\nv=0\r\no=- 81044819 81045805 IN IP4 10.10.1.63\r\ns=eyeBeam\r\nc=IN IP4 10.10.1.63\r\nt=0 0\r\nm=audio 8382 RTP/AVP 100 6 0 8 3 18 5 101\r\na=alt:1 1 : FC106A37 000000A7 10.10.1.63 8382\r\na=fmtp:101 0-15\r\na=rtpmap:100 speex/16000\r\na=rtpmap:101 telephone-event/8000\r\na=sendrecv\r\n
199.229774 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n
199.230739 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n
199.236422 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]<<xx.xxx.xxx.14:5060(410)\n
199.238117 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]<<xx.xxx.xxx.14:5060(410)\n
199.243087 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609;rport=16598\r\nFrom: "ivory dental" <sip:6132161111 at my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo: <sip:01137744616847 at my.company.ca>\r\nCall-ID: 95840519-118b3537 at xx.xxx.xxx.41\r\nCSeq: 101 INVITE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.2.0-rc2+git~20120620T194320Z~a0a9efcf02+unclean~20130121T043106Z\r\nContent-Length: 0\r\n\r\n
199.244280 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n
199.245238 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n
199.246773 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]<<xx.xxx.xxx.14:5060(903)\n
199.248491 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]<<xx.xxx.xxx.14:5060(903)\n
199.259707 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog SIP/2.0 407 Proxy Authentication Required\r\nVia: SIP/2.0/UDP xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609;rport=16598\r\nFrom: "ivory dental" <sip:6132161111 at my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo: <sip:01137744616847 at my.company.ca>;tag=2BXmFrcQ9v74Q\r\nCall-ID: 95840519-118b3537 at xx.xxx.xxx.41\r\nCSeq: 101 INVITE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.2.0-rc2+git~20120620T194320Z~a0a9efcf02+unclean~20130121T043106Z\r\nAccept: application/sdp\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, UPDATE, INFO, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer, precondition, path, replaces\r\nAllow-Events: talk, hold, presence, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer\r\nProxy-Authenticate: Digest realm="my.company.ca", nonce="63bcc7dc-298c-11e3-807c-17c4d7454b29", algorithm=MD5, qop="auth"\r\nContent-Length: 0\r\n\r\n
199.260840 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n
199.261745 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n
199.269739 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]->xx.xxx.xxx.14:5060(497)\n
199.271381 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: [2]->xx.xxx.xxx.14:5060(497)\n
199.277953 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog ACK sip:01137744616847 at my.company.ca SIP/2.0\r\nVia: SIP/2.0/UDP xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609\r\nFrom: "ivory dental" <sip:6132161111 at my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo: <sip:01137744616847 at my.company.ca>;tag=2BXmFrcQ9v74Q\r\nCall-ID: 95840519-118b3537 at xx.xxx.xxx.41\r\nCSeq: 101 ACK\r\nMax-Forwards: 70\r\nContact: "ivory dental" <sip:6132161111 at xx.xxx.xxx.41:16598>\r\nUser-Agent: Linksys/SPA8000-6.1.12\r\nAllow-Events: talk, hold, conference\r\nContent-Length: 0\r\n\r\n


  ----- Original Message ----- 
  From: Gabe Shepard 
  To: FreeSWITCH Users Help 
  Sent: Monday, September 30, 2013 9:52 AM
  Subject: Re: [Freeswitch-users] spa8000 hack


  I don't see the full syslog here, but check to see if there's a call forward number set in the SPA8000?  We recently saw an instance where someone set a call forward on an SPA3102, dialed into the 3102 via a different number, and then it was forwarded back out.  


  -Gabe



  On Mon, Sep 30, 2013 at 1:18 AM, fs <fs at voice2net.ca> wrote:

    I do not know if anyone has seen this.  I use spa8000 ata's to provide sip
    trunking to a freeswitch an onwards.  Over the past three days I have had
    someone hacking into the spa8000 and relaying international calls back out.
    I have no ideal how they do it and cannot find any info in the traces that
    indicates where the call came from.  I have seen a note on cisco's web site
    about someone else complaining about this but no resolution.

    My syslog from the spa8000 starts like so.

    Syslog LOCAL2.DEBUG: M0: Calling:01137744616847 at sample.switch.ca:0\n
    Syslog LOCAL0.INFO: M0: [2]->xx.xxx.xx.xx:5060(985)\n
    Syslog LOCAL0.INFO: M0: [2]->xx.xxx.xxx.xx:5060(985)\n
    Syslog INVITE sip:01137744616847 at sample.switch.ca SIP/2.0 {etc}

    Any thoughts or ideas would be REALLY appreciated.

    Darcy Primrose


    _________________________________________________________________________
    Professional FreeSWITCH Consulting Services:
    consulting at freeswitch.org
    http://www.freeswitchsolutions.com

    
    

    Official FreeSWITCH Sites
    http://www.freeswitch.org
    http://wiki.freeswitch.org
    http://www.cluecon.com

    FreeSWITCH-users mailing list
    FreeSWITCH-users at lists.freeswitch.org
    http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
    UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
    http://www.freeswitch.org





------------------------------------------------------------------------------


  _________________________________________________________________________
  Professional FreeSWITCH Consulting Services:
  consulting at freeswitch.org
  http://www.freeswitchsolutions.com

  
  

  Official FreeSWITCH Sites
  http://www.freeswitch.org
  http://wiki.freeswitch.org
  http://www.cluecon.com

  FreeSWITCH-users mailing list
  FreeSWITCH-users at lists.freeswitch.org
  http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
  UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
  http://www.freeswitch.org



------------------------------------------------------------------------------


  No virus found in this message.
  Checked by AVG - www.avg.com
  Version: 2014.0.4142 / Virus Database: 3604/1 - Release Date: 09/24/13
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130930/be7a3500/attachment-0001.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list