FOOD FOR THOUGHT Suspicious activity on the CDR, probably hacked, what is "AppDial"

nateornat

Member
Joined
May 15, 2009
Messages
58
Reaction score
5
Location
Arizona
Asterisk 13.13.1 Incredible GUI 12.0.39

I got an alert from my carrier that they saw suspicious activity outbound on our trunk. So i looked in the logs and see the following: It says it originated from APpDial? how can i see where this originated or delete Appdial so i cant be hacked?

2019-08-24 15:17:471566685055.660420"CID:4290199" <16055621201>AppDialANSWERED107:24
 

billsimon

Experienced in Asterisk, FreePBX, and SIP
Joined
Jan 2, 2011
Messages
966
Reaction score
303
Click on the linked "1566685055.660420" to bring up the call event log. Also look at the log file /var/log/asterisk/full for more details on this call.

"AppDial" doesn't appear very often in the call detail records; usually it's shown as "Dial" but I think this is the same standard Dial() application from the dialplan. You can't delete it. I am guessing a little but I think this shows up on certain kinds of transfers. Might want to check to make sure someone can't transfer themselves out of your PBX when they call in and get an IVR or voicemail. The most obvious setting to check first would be this one in Advanced Settings:

2406
 
  • Love
Reactions: Twilight Sparkle

Twilight Sparkle

♕ Princess
Joined
Jul 21, 2013
Messages
316
Reaction score
26
Location
Ponyville
Click on the linked "1566685055.660420" to bring up the call event log. Also look at the log file /var/log/asterisk/full for more details on this call.

"AppDial" doesn't appear very often in the call detail records; usually it's shown as "Dial" but I think this is the same standard Dial() application from the dialplan. You can't delete it. I am guessing a little but I think this shows up on certain kinds of transfers. Might want to check to make sure someone can't transfer themselves out of your PBX when they call in and get an IVR or voicemail. The most obvious setting to check first would be this one in Advanced Settings:

View attachment 2406
this is good to know.... i had no idea....
 

nateornat

Member
Joined
May 15, 2009
Messages
58
Reaction score
5
Location
Arizona
Thank you for the info. I do not have that option for the "Disallow Transfer".
If i goto the full records, this is what shows up. Do you guys see anything in here that sets off red flags as far as how this is happening?
For reference the number being dialed is 16055621201 and 16055621202 and is being transferred through ext-200.


Code:
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:1] Macro("SIP/200-0000283b", "user-callerid,LIMIT,EXTERNAL,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:1] Set("SIP/200-0000283b", "TOUCH_MONITOR=1566684809.659130") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:2] Set("SIP/200-0000283b", "AMPUSER=200") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:3] GotoIf("SIP/200-0000283b", "0?report") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:4] ExecIf("SIP/200-0000283b", "1?Set(REALCALLERIDNUM=200)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:5] Set("SIP/200-0000283b", "AMPUSER=200") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:6] GotoIf("SIP/200-0000283b", "0?limit") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:7] Set("SIP/200-0000283b", "AMPUSERCIDNAME=Register 2") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:8] GotoIf("SIP/200-0000283b", "0?report") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:9] Set("SIP/200-0000283b", "AMPUSERCID=200") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:10] Set("SIP/200-0000283b", "__DIAL_OPTIONS=tr") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:11] Set("SIP/200-0000283b", "CALLERID(all)="Register 2" <200>") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:12] GotoIf("SIP/200-0000283b", "0?limit") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:13] ExecIf("SIP/200-0000283b", "1?Set(GROUP(concurrency_limit)=200)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:14] GosubIf("SIP/200-0000283b", "7?sub-ccss,s,1(from-internal,16055621201)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:1] ExecIf("SIP/200-0000283b", "0?Return()") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:2] Set("SIP/200-0000283b", "CCSS_SETUP=TRUE") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:3] GosubIf("SIP/200-0000283b", "0?monitor_config,1(from-internal,16055621201):monitor_default,1(from-internal,16055621201)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:1] GotoIf("SIP/200-0000283b", "0?is_exten") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:2] StackPop("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:3] Return("SIP/200-0000283b", "FALSE") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:15] GotoIf("SIP/200-0000283b", "1?continue") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:10] NoOp("SIP/200-0000283b", "Recordings initialized") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:11] ExecIf("SIP/200-0000283b", "0?Set(ARG3=dontcare)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:12] Set("SIP/200-0000283b", "REC_POLICY_MODE_SAVE=") in new stack

[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx_builtins.c: Goto (sub-record-check,recordcheck,3)
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:3] Return("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:8] Return("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:3] Set("SIP/200-0000283b", "MOHCLASS=default") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:4] Set("SIP/200-0000283b", "_NODEST=") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:5] Macro("SIP/200-0000283b", "dialout-trunk,21,16055621201,,off") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx_builtins.c: Goto (macro-outbound-callerid,s,6)
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:6] Set("SIP/200-0000283b", "USEROUTCID=4804290199") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:7] Set("SIP/200-0000283b", "EMERGENCYCID=") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:8] Set("SIP/200-0000283b", "TRUNKOUTCID=") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:9] GotoIf("SIP/200-0000283b", "1?trunkcid") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx_builtins.c: Goto (macro-outbound-callerid,s,14)
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:14] ExecIf("SIP/200-0000283b", "0?Set(CALLERID(all)=)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:15] ExecIf("SIP/200-0000283b", "1?Set(CALLERID(all)=4804290199)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:16] ExecIf("SIP/200-0000283b", "0?Set(CALLERID(all)=)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:17] ExecIf("SIP/200-0000283b", "0?Set(CALLERPRES()=prohib_passed_screen)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:18] Set("SIP/200-0000283b", "CDR(outbound_cnum)=4804290199") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:19] Set("SIP/200-0000283b", "CDR(outbound_cnam)=") in new stack
[2019-08-24 15:13:29] WARNING[3400] func_cdr.c: CDR requires a value (CDR(variable)=value)
)[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:12] GosubIf("SIP/200-0000283b", "0?sub-flp-21,s,1()") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:13] Set("SIP/200-0000283b", "OUTNUM=16055621201") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:14] Set("SIP/200-0000283b", "custom=SIP/TELNYX") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:15] ExecIf("SIP/200-0000283b", "0?Set(DIAL_TRUNK_OPTIONS=M(setmusic^default))") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:16] ExecIf("SIP/200-0000283b", "0?Set(DIAL_TRUNK_OPTIONS=M(confirm))") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:17] Macro("SIP/200-0000283b", "dialout-trunk-predial-hook,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:1] MacroExit("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:18] GotoIf("SIP/200-0000283b", "0?bypass,1") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:19] ExecIf("SIP/200-0000283b", "1?Set(CONNECTEDLINE(num,i)=16055621201)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:20] ExecIf("SIP/200-0000283b", "1?Set(CONNECTEDLINE(name,i)=CID:4804290199)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:21] GotoIf("SIP/200-0000283b", "0?customtrunk") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:22] Dial("SIP/200-0000283b", "SIP/TELNYX/16055621201,300,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] netsock2.c: Using SIP RTP TOS bits 184
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] netsock2.c: Using SIP RTP CoS mark 5
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] app_dial.c: Called SIP/TELNYX/16055621201
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] app_dial.c: SIP/TELNYX-0000283c is ringing
 

billsimon

Experienced in Asterisk, FreePBX, and SIP
Joined
Jan 2, 2011
Messages
966
Reaction score
303
What is in the logs directly before the first line you are showing here? What you're showing is where the outbound call is already initiated... what comes before that should tell you more about who or how.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
Do you have an extension 200? If you do, have you checked it's Follow Me, or call forwarding? Also if you do, have you physically gone to the phone and checked for call forwarding directly on the extension?
 
  • Like
Reactions: randy7376

nateornat

Member
Joined
May 15, 2009
Messages
58
Reaction score
5
Location
Arizona
What is in the logs directly before the first line you are showing here? What you're showing is where the outbound call is already initiated... what comes before that should tell you more about who or how.
This is the lines leading up to the prior.
Thanks

Code:
[2019-08-24 15:13:12] NOTICE[3463] chan_sip.c: Registration from '<sip:[email protected]>' failed for '62.210.15.255:2879' - Wrong password
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] bridge_channel.c: Channel SIP/200-00002839 left 'simple_bridge' basic-bridge <9cacaff9-ebfc-467e-a94e-a0ef1c2b99e7>
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] app_macro.c: Spawn extension (macro-dialout-trunk, s, 22) exited non-zero on 'SIP/200-00002839' in macro 'dialout-trunk'
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] pbx.c: Spawn extension (from-internal, 16055621299, 5) exited non-zero on 'SIP/200-00002839'
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] pbx.c: Executing [[email protected]:1] Hangup("SIP/200-00002839", "") in new stack
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] pbx.c: Spawn extension (from-internal, h, 1) exited non-zero on 'SIP/200-00002839'
[2019-08-24 15:13:14] VERBOSE[29800][C-0006b7d7] bridge_channel.c: Channel SIP/TELNYX-0000283a left 'simple_bridge' basic-bridge <9cacaff9-ebfc-467e-a94e-a0ef1c2b99e7>
[2019-08-24 15:13:15] WARNING[3463] chan_sip.c: Timeout on 1979003382-105834168-1709094816 on non-critical invite transaction.
[2019-08-24 15:13:29] VERBOSE[3463][C-0006b7dd] netsock2.c: Using SIP RTP TOS bits 184
[2019-08-24 15:13:29] VERBOSE[3463][C-0006b7dd] netsock2.c: Using SIP RTP CoS mark 5
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:1] Macro("SIP/200-0000283b", "user-callerid,LIMIT,EXTERNAL,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:1] Set("SIP/200-0000283b", "TOUCH_MONITOR=1566684809.659130") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [[email protected]:2] Set("SIP/200-0000283b", "AMPUSER=200") in new stack
 

nateornat

Member
Joined
May 15, 2009
Messages
58
Reaction score
5
Location
Arizona
Do you have an extension 200? If you do, have you checked it's Follow Me, or call forwarding? Also if you do, have you physically gone to the phone and checked for call forwarding directly on the extension?

Yes, we do have an x200. I have checked the UCP and do not currently see call forwarding enabled. I have not been to the site to physically look at the phone.
I did notice the UCP password was pretty weak, so i changed that, But would like to know where this breach happened for future reference.
Thanks Guys for looking into this.
 

billsimon

Experienced in Asterisk, FreePBX, and SIP
Joined
Jan 2, 2011
Messages
966
Reaction score
303
SIP user 200 is placing the calls. Change the password and see whether the problem goes away. If it does, perhaps your phone was compromised, or the password was guessed. If the problem continues, someone's probably in your PBX.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,541
Reaction score
415
Location
South Florida
SIP user 200 is placing the calls. Change the password and see whether the problem goes away. If it does, perhaps your phone was compromised, or the password was guessed. If the problem continues, someone's probably in your PBX.

OR - they have the forward initiated on the handset itself, so the UCP won't show it. I've seen clients that get confused, and think they are forwarding a single call when instead they are doing a forward all on their phone. Really becomes fun when they're in a ring group and nobody can find out why inbound calls start going to someplace they shouldn't.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
OR - they have the forward initiated on the handset itself, so the UCP won't show it. I've seen clients that get confused, and think they are forwarding a single call when instead they are doing a forward all on their phone. Really becomes fun when they're in a ring group and nobody can find out why inbound calls start going to someplace they shouldn't.
Hence my comment above.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
Since your PBX is open to the world, have you confirmed the registered IP of the phone matches where the phone is actually located? It really does appear extension 200 is placing these calls.
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,367
Messages
137,355
Members
14,575
Latest member
Issue