[Freeswitch-users] FS account got hacked **urgent**

Brian West brian at freeswitch.org
Wed Mar 1 02:59:09 MSK 2017


You can calm down, Do you have any proof you've been hacked?  This appears
to be an SQL Injection attempt, I started seeing this yesterday!

Here is what I had in my logs and what the packet has in it:

2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:687
a7c86b62-4dbf-4609-8bc2-3b6a38e2686a sofia/internal/‘hi'or‘x’='x'@190.10
2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE]
switch_core_state_machine.c:690 Hangup sofia/internal/‘hi'or‘x’='
x'@190.102.98.246 [CS_NEW] [WRONG_CALL_STATE]
2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730 Session 2
(sofia/internal/‘hi'or‘x’='x'@190.102.98.246) Ended
2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close
Channel sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_DESTROY]



   INVITE sip:1259360048825408632 at 190.102.98.246 SIP/2.0
   Via: SIP/2.0/UDP 62.210.245.31:41254
;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
   Max-Forwards: 70
   Contact: <
sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254
>;+sip.instance="<urn:uuid:4c5f3dc8-9f8a-4470-9b43-bd04fcd1634d>"
   To: <sip:1259360048825408632 at 190.102.98.246>
   From: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 190.102.98.246
>;tag=UBAWADPX
   Call-ID: OIERRISLMMBKZCIIUGWESXQM
   CSeq: 1 INVITE
   Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
REGISTER, SUBSCRIBE, INFO
   Content-Type: application/sdp
   Supported: replaces
   User-Agent: Cisco-SIPGateway/IOS-12.x
   Allow-Events: hold, talk, conference
   Content-Length: 0


I would like to dive deeper and see if anyone else has seen this, I had
also seen it today in the FreeSWITCH hipchat channel.

/b



On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <siju.irs at gmail.com> wrote:

> Hi team ,
>
> Please help on below query
>
> Sent from my iPhone
>
> > On 28-Feb-2017, at 3:59 PM, Siju Nair <siju.irs at gmail.com> wrote:
> >
> > Hi Team
> >
> > my account got hacked and attacked using my DID number as caller id and
> making calls via my FS server.
> >
> > in logs i could notice this sofia/external/'hi'or'x'='x' ... what does
> this mean and how can they set my did as caller id and make calls... Urgent
> help needed.
> >
> > Thanks,
> > Siju Nair
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 

*Brian West*
brian at freeswitch.org

*Twitter: @FreeSWITCH , @briankwest*

http://www.freeswitchbook.com
http://www.freeswitchcookbook.com

Allison prompts for FreeSWITCH:

*https://www.gofundme.com/allison-prompts-for-freeswitch*
<https://www.gofundme.com/allison-prompts-for-freeswitch>

Wish to schedule a meeting?

http://app.timebridge.com/#/meet/freeswitch

Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
/r/freeswitch <https://www.reddit.com/r/freeswitch>

*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170228/24b97672/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list