1

I'm still new to Asterisk/Elastix and apologize if this question is misplaced.

Recently one of our larger clients was hacked and we remedied the situation by enabling fail2ban. It seemed to have stopped the hackers from trying to register extensions but I still suspect that the server is under some sort of attack.

There is a constant stream of WARNINGs in the Asterisk CLI stating something along the lines of:

WARNING[2184]: chan_sip.c:3755 __sip_xmit: sip_xmit of ... (len 371) to (null) returned -1: Invalid argument

There are about 3 to 5 of these warnings each second and I am concerned that it will affect quality of service or lead the company to be victims of fraudsters.

Could the warnings be the result of an improperly configured PBX or could it be a possible attack?

The clients current setup is as follows:

  • Elastix 4.0.74
  • Asterisk 11.20.0

See screenshot of warning messages in CLI below: enter image description here Thanks in advance.

galoget
  • 1,414
  • 1
  • 9
  • 15
Son of Sam
  • 77
  • 1
  • 8
  • Possible duplicate of [How to deal with compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – grochmal Jan 02 '17 at 21:26
  • 1
    @grochmal Not at all a duplicate of that. It's a question about whether these log alerts could point to a malicious attack. – Polynomial Jan 02 '17 at 22:58
  • I'm not sure whether to suspect that the attackers merely changed their MO after I blocked them from attempting to register extensions with fail2ban, or if I screwed a config setting somewhere by doing so. Either way they threat level remains unknown to me – Son of Sam Jan 25 '17 at 10:19
  • This is rather old, but in general if you suspect a network attack, run a packet capture and look for unusual traffic. – Steve Sether Aug 01 '17 at 21:14

1 Answers1

-1

It appears that the system is doing a DNS lookup of the Trunk name possibly.

mcgoosh
  • 29
  • 5