I would like to ask help in order to identify a possible weakness in a2billing installation
Recently I noticed someone managed to use one of my customers account to make calls
The most interesting part is that the person first introduced credit without any real payment and then started the calls
Code:
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c: -- Executing [25240910727@a2billing:1] NoOp("SIP/69950502032-00000161", "A2Billing Start") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c: -- Executing [25240910727@a2billing:2] Set("SIP/69950502032-00000161", "CDR(recvip)=86.127.8.13") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c: -- Executing [25240910727@a2billing:3] NoOp("SIP/69950502032-00000161", "IP 86.127.8.13, Zoiper Communicator Biz 2.05.11136 rev.11135") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c: -- Executing [25240910727@a2billing:4] NoOp("SIP/69950502032-00000161", "Codec g729, g729") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c: -- Executing [25240910727@a2billing:5] AGI("SIP/69950502032-00000161", "a2billing.php,1") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] res_agi.c: -- Launched AGI Script /var/lib/asterisk/agi-bin/a2billing.php
[2012-02-12 02:15:40] VERBOSE[29091] res_agi.c: -- AGI Script Executing Application: (DIAL) Options: (SIP/xx.xx.xx.xx:6060/25240910727,60,HRriL(36000000:61000:30000))
[2012-02-12 02:15:40] VERBOSE[29091] netsock2.c: == Using SIP RTP CoS mark 5
[2012-02-12 02:15:40] VERBOSE[29091] app_dial.c: -- Called SIP/xx.xx.xx.xx:6060/25240910727
[2012-02-12 02:15:42] VERBOSE[29091] app_dial.c: -- SIP/xx.xx.xx.xx:6060-00000162 is ringing
[2012-02-12 02:15:42] VERBOSE[29091] app_dial.c: -- SIP/xx.xx.xx.xx:6060-00000162 answered SIP/69950502032-00000161
[2012-02-12 02:15:42] DEBUG[29091] channel.c: setting peeraccount to 69950502019 for SIP/69950502032-00000161 from data on channel SIP/xx.xx.xx.xx:6060-00000162
[2012-02-12 02:15:42] VERBOSE[29091] res_musiconhold.c: -- Started music on hold, class 'default', on SIP/xx.xx.xx.xx:6060-00000162
[2012-02-12 02:15:43] VERBOSE[2883] netsock2.c: == Using SIP RTP CoS mark 5
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c: -- Executing [25240910727@a2billing:1] NoOp("SIP/69950502032-00000163", "A2Billing Start") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c: -- Executing [25240910727@a2billing:2] Set("SIP/69950502032-00000163", "CDR(recvip)=86.127.8.13") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c: -- Executing [25240910727@a2billing:3] NoOp("SIP/69950502032-00000163", "IP 86.127.8.13, Zoiper Communicator Biz 2.05.11136 rev.11135") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c: -- Executing [25240910727@a2billing:4] NoOp("SIP/69950502032-00000163", "Codec g729, g729") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c: -- Executing [25240910727@a2billing:5] AGI("SIP/69950502032-00000163", "a2billing.php,1") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] res_agi.c: -- Launched AGI Script /var/lib/asterisk/agi-bin/a2billing.php
[2012-02-12 02:15:43] VERBOSE[29095] res_agi.c: -- AGI Script Executing Application: (DIAL) Options: (SIP/xx.xx.xx.xx:6060/25240910727,60,HRriL(36000000:61000:30000))
[2012-02-12 02:15:43] VERBOSE[29095] netsock2.c: == Using SIP RTP CoS mark 5
[2012-02-12 02:15:43] VERBOSE[29095] app_dial.c: -- Called SIP/xx.xx.xx.xx:6060/25240910727
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c: -- SIP/69950502032-00000163 requested special control 16, passing it to SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[29095] res_musiconhold.c: -- Started music on hold, class 'default', on SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c: -- SIP/69950502032-00000163 requested special control 20, passing it to SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[2883] netsock2.c: == Using SIP RTP CoS mark 5
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c: -- Executing [25240910727@a2billing:1] NoOp("SIP/69950502032-00000165", "A2Billing Start") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c: -- Executing [25240910727@a2billing:2] Set("SIP/69950502032-00000165", "CDR(recvip)=86.127.8.13") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c: -- Executing [25240910727@a2billing:3] NoOp("SIP/69950502032-00000165", "IP 86.127.8.13, Zoiper Communicator Biz 2.05.11136 rev.11135") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c: -- Executing [25240910727@a2billing:4] NoOp("SIP/69950502032-00000165", "Codec g729, g729") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c: -- Executing [25240910727@a2billing:5] AGI("SIP/69950502032-00000165", "a2billing.php,1") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] res_agi.c: -- Launched AGI Script /var/lib/asterisk/agi-bin/a2billing.php
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c: -- SIP/xx.xx.xx.xx:6060-00000164 is ringing
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c: -- SIP/xx.xx.xx.xx:6060-00000164 answered SIP/69950502032-00000163
[2012-02-12 02:15:45] DEBUG[29095] channel.c: setting peeraccount to 69950502019 for SIP/69950502032-00000163 from data on channel SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[29099] res_agi.c: -- AGI Script Executing Application: (DIAL) Options: (SIPxx.xx.xx.xx:6060/25240910727,60,HRriL(36000000:61000:30000))
[2012-02-12 02:15:45] VERBOSE[29099] netsock2.c: == Using SIP RTP CoS mark 5
[2012-02-12 02:15:45] VERBOSE[29099] app_dial.c: -- Called SIP/xx.xx.xx.xx:6060/25240910727
[2012-02-12 02:15:47] VERBOSE[29099] app_dial.c: -- SIP/69950502032-00000165 requested special control 16, passing it to SIP/xx.xx.xx.xx:6060-00000166
[2012-02-12 02:15:47] VERBOSE[29099] res_musiconhold.c: -- Started music on hold, class 'default', on SIP/xx.xx.xx.xx:6060-00000166
[2012-02-12 02:15:47] VERBOSE[29099] app_dial.c: -- SIP/69950502032-00000165 requested special control 20, passing it to SIP/xx.xx.xx.xx:6060-00000166
some of the calls didnt get registered and I could noticed a special code 20 in the logs
Code:
[2012-02-12 02:15:47] VERBOSE[29099] app_dial.c: -- SIP/69950502032-00000165 requested special control 20, passing it to SIP/xx.xx.xx.xx:6060-00000166
my dial plan has HRirl
I have no indication that this person has access to root as the secure log does not show anyone loging and ssh was infact disabled.
How can someone do such a thing, insert credit to an account without actualy pay it?
How is possible to place multiple calls if dial command should not allow it?
I have fail2ban set to block user after 3 wrong attempts
And even more important how can I prevent that from happening in the future?
Many thanks