Missing/Inconsistent log

Hi there,

my system log reports the following lines:

Sep 30 23:57:26 VERBOSE[103123] logger.c: -- Registered SIP 'rdarioc-200' expires 1800
Oct 1 02:14:22 VERBOSE[8028] logger.c: -- Called 302@from-internal/n


while my Call Monitor reports the following lines:

2016-10-01 02:13:42 "R.D. Contarino" <100> 1 sa413.saturn.f­astwebserver.de ext-group Hangup (00:04:27)


In other words there are 40 seconds of System Log missing and I am even unable to find out who called me in the middle of the night.

What worries me is that I cannot even track if my account has been hacked or not.

Any suggestion?

RE: Missing/Inconsistent log

This is what the log looks like if somebody triggers a webcall via the URL of your extension 302, we suppose.

Try to make such a call and compare the logs.

RE: Missing/Inconsistent log

Perhaps I am misunderstanding something:

Allow me to summarize my understanding on how a webcall works on your service:

1. someone gets to the following web address:

www.pbxes.org/<username>

Where <username> was the field defined by me in one of my extensions configuration page and

2. this someone fills-in the field available on such page for a "call-back" and

3. pbxes.org first start the call toward the above "call-back" number and upon successful connection, only then,

4. pbxes.org starts the call toward the extension corresponding to the <username> as referred in the above step #1.

Now, if this is what should happen when a webcall is triggered, I have a couple of doubts:

A. The call was directed toward a ring-group which does not have any <username> configured and reachable from the web. Yes, the extension 302 has a <username> that could have triggered such webcall, but as you can see from the below log, the call went toward a ring-group (which included extension 302)


2016-10-01 02:14:27 +49xxxxxxxx +49xxxxxxxx ­ VoipJumperDE from-internal-cont Dial 00:00:00
2016-10-01 02:14:22 "R.D. Contarino" <100> 302 ­ from-internal-cont Dial 00:00:00
2016-10-01 02:13:42 "R.D. Contarino" <100> 1 89.163.­242.161 ext-group Hangup


and

B. Where can I find the number that this someone put in the field mentioned in the above step #2 that could have, upon successful connection, triggered the web call? In my experience, but I could be wrong, the webcall is activated ONLY after a successful connection to such number, but I have no record of it.

I am still concerned about some hacking issues. I hope you will help me to clarify those doubts.

Thank you.

p.s. I noted that now on my Call Monitor, I read the IP address you wrote (see my above cut&paste), while tonight the field was filled in with its FQDN. How come that tonight I see (and cut&paste) one thing while now I see (and cut&paste) another thing? Did you perhaps change my log?

RE: Missing/Inconsistent log

You are right. This is not a webcall. Comparing the nightly call to other incoming calls to your PBX, they are absolutely similar. The call goes to ringgroup 1 as usual.

The only difference is the missing codec and RTP lines in your System Log for the incoming INVITE message. This is because the nightly call was generated by a non-telephone tool Sipvicious, see other thread in Misc forum.

Don't worry because sometimes IP addresses get displayed in numerical form and sometimes with their corresponding DNS names in Call Monitor. This is because when reverse IP takes too long and times out, just the numbers are shown.

RE: Missing/Inconsistent log

Thank you. I saw the other thread. I still wonder how is it possible that my log registered my extension 100 as source of the call, while the other guy, Tom, got a log with "sipvicious" as source of the call.

Apart from that, yes, I also think that was the problem.

Was the source still the IP mentioned in my log? It belongs to an hosting company in Germany. Have you notified them that some of their clients ran this sort of attack toward your server and people lost money because of it?

Yes, reconfiguring the firewall to block that IP is one option, but won't last long. How about supporting TLS to connect to your server? VPN would not work, because I have clients on my cellphone and while those clients should use the VPN, the phone should still be able to access other services outside your VPN.

Thank you for in advance for your reply.