FOOD FOR THOUGHT Suspicious activity on the CDR, probably hacked, what is "AppDial"

nateornat

Member
Joined
May 15, 2009
Messages
100
Reaction score
9
Asterisk 13.13.1 Incredible GUI 12.0.39

I got an alert from my carrier that they saw suspicious activity outbound on our trunk. So i looked in the logs and see the following: It says it originated from APpDial? how can i see where this originated or delete Appdial so i cant be hacked?

2019-08-24 15:17:471566685055.660420"CID:4290199" <16055621201>AppDialANSWERED107:24
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Click on the linked "1566685055.660420" to bring up the call event log. Also look at the log file /var/log/asterisk/full for more details on this call.

"AppDial" doesn't appear very often in the call detail records; usually it's shown as "Dial" but I think this is the same standard Dial() application from the dialplan. You can't delete it. I am guessing a little but I think this shows up on certain kinds of transfers. Might want to check to make sure someone can't transfer themselves out of your PBX when they call in and get an IVR or voicemail. The most obvious setting to check first would be this one in Advanced Settings:

2406
 

Twilight Sparkle

https://voip.ms/en/invite/MjM2MjQ4
Joined
Jul 21, 2013
Messages
448
Reaction score
57
Click on the linked "1566685055.660420" to bring up the call event log. Also look at the log file /var/log/asterisk/full for more details on this call.

"AppDial" doesn't appear very often in the call detail records; usually it's shown as "Dial" but I think this is the same standard Dial() application from the dialplan. You can't delete it. I am guessing a little but I think this shows up on certain kinds of transfers. Might want to check to make sure someone can't transfer themselves out of your PBX when they call in and get an IVR or voicemail. The most obvious setting to check first would be this one in Advanced Settings:

View attachment 2406
this is good to know.... i had no idea....
 

nateornat

Member
Joined
May 15, 2009
Messages
100
Reaction score
9
Thank you for the info. I do not have that option for the "Disallow Transfer".
If i goto the full records, this is what shows up. Do you guys see anything in here that sets off red flags as far as how this is happening?
For reference the number being dialed is 16055621201 and 16055621202 and is being transferred through ext-200.


Code:
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [16055621201@from-internal:1] Macro("SIP/200-0000283b", "user-callerid,LIMIT,EXTERNAL,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:1] Set("SIP/200-0000283b", "TOUCH_MONITOR=1566684809.659130") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:2] Set("SIP/200-0000283b", "AMPUSER=200") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:3] GotoIf("SIP/200-0000283b", "0?report") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:4] ExecIf("SIP/200-0000283b", "1?Set(REALCALLERIDNUM=200)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:5] Set("SIP/200-0000283b", "AMPUSER=200") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:6] GotoIf("SIP/200-0000283b", "0?limit") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:7] Set("SIP/200-0000283b", "AMPUSERCIDNAME=Register 2") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:8] GotoIf("SIP/200-0000283b", "0?report") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:9] Set("SIP/200-0000283b", "AMPUSERCID=200") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:10] Set("SIP/200-0000283b", "__DIAL_OPTIONS=tr") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:11] Set("SIP/200-0000283b", "CALLERID(all)="Register 2" <200>") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:12] GotoIf("SIP/200-0000283b", "0?limit") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:13] ExecIf("SIP/200-0000283b", "1?Set(GROUP(concurrency_limit)=200)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:14] GosubIf("SIP/200-0000283b", "7?sub-ccss,s,1(from-internal,16055621201)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@sub-ccss:1] ExecIf("SIP/200-0000283b", "0?Return()") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@sub-ccss:2] Set("SIP/200-0000283b", "CCSS_SETUP=TRUE") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@sub-ccss:3] GosubIf("SIP/200-0000283b", "0?monitor_config,1(from-internal,16055621201):monitor_default,1(from-internal,16055621201)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [monitor_default@sub-ccss:1] GotoIf("SIP/200-0000283b", "0?is_exten") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [monitor_default@sub-ccss:2] StackPop("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [monitor_default@sub-ccss:3] Return("SIP/200-0000283b", "FALSE") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:15] GotoIf("SIP/200-0000283b", "1?continue") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@sub-record-check:10] NoOp("SIP/200-0000283b", "Recordings initialized") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@sub-record-check:11] ExecIf("SIP/200-0000283b", "0?Set(ARG3=dontcare)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@sub-record-check:12] Set("SIP/200-0000283b", "REC_POLICY_MODE_SAVE=") in new stack

[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx_builtins.c: Goto (sub-record-check,recordcheck,3)
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [recordcheck@sub-record-check:3] Return("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [out@sub-record-check:8] Return("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [16055621201@from-internal:3] Set("SIP/200-0000283b", "MOHCLASS=default") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [16055621201@from-internal:4] Set("SIP/200-0000283b", "_NODEST=") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [16055621201@from-internal:5] Macro("SIP/200-0000283b", "dialout-trunk,21,16055621201,,off") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx_builtins.c: Goto (macro-outbound-callerid,s,6)
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:6] Set("SIP/200-0000283b", "USEROUTCID=4804290199") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:7] Set("SIP/200-0000283b", "EMERGENCYCID=") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:8] Set("SIP/200-0000283b", "TRUNKOUTCID=") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:9] GotoIf("SIP/200-0000283b", "1?trunkcid") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx_builtins.c: Goto (macro-outbound-callerid,s,14)
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:14] ExecIf("SIP/200-0000283b", "0?Set(CALLERID(all)=)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:15] ExecIf("SIP/200-0000283b", "1?Set(CALLERID(all)=4804290199)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:16] ExecIf("SIP/200-0000283b", "0?Set(CALLERID(all)=)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:17] ExecIf("SIP/200-0000283b", "0?Set(CALLERPRES()=prohib_passed_screen)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:18] Set("SIP/200-0000283b", "CDR(outbound_cnum)=4804290199") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-outbound-callerid:19] Set("SIP/200-0000283b", "CDR(outbound_cnam)=") in new stack
[2019-08-24 15:13:29] WARNING[3400] func_cdr.c: CDR requires a value (CDR(variable)=value)
)[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:12] GosubIf("SIP/200-0000283b", "0?sub-flp-21,s,1()") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:13] Set("SIP/200-0000283b", "OUTNUM=16055621201") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:14] Set("SIP/200-0000283b", "custom=SIP/TELNYX") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:15] ExecIf("SIP/200-0000283b", "0?Set(DIAL_TRUNK_OPTIONS=M(setmusic^default))") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:16] ExecIf("SIP/200-0000283b", "0?Set(DIAL_TRUNK_OPTIONS=M(confirm))") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:17] Macro("SIP/200-0000283b", "dialout-trunk-predial-hook,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk-predial-hook:1] MacroExit("SIP/200-0000283b", "") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:18] GotoIf("SIP/200-0000283b", "0?bypass,1") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:19] ExecIf("SIP/200-0000283b", "1?Set(CONNECTEDLINE(num,i)=16055621201)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:20] ExecIf("SIP/200-0000283b", "1?Set(CONNECTEDLINE(name,i)=CID:4804290199)") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:21] GotoIf("SIP/200-0000283b", "0?customtrunk") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-dialout-trunk:22] Dial("SIP/200-0000283b", "SIP/TELNYX/16055621201,300,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] netsock2.c: Using SIP RTP TOS bits 184
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] netsock2.c: Using SIP RTP CoS mark 5
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] app_dial.c: Called SIP/TELNYX/16055621201
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] app_dial.c: SIP/TELNYX-0000283c is ringing
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
What is in the logs directly before the first line you are showing here? What you're showing is where the outbound call is already initiated... what comes before that should tell you more about who or how.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
Do you have an extension 200? If you do, have you checked it's Follow Me, or call forwarding? Also if you do, have you physically gone to the phone and checked for call forwarding directly on the extension?
 

nateornat

Member
Joined
May 15, 2009
Messages
100
Reaction score
9
What is in the logs directly before the first line you are showing here? What you're showing is where the outbound call is already initiated... what comes before that should tell you more about who or how.

This is the lines leading up to the prior.
Thanks

Code:
[2019-08-24 15:13:12] NOTICE[3463] chan_sip.c: Registration from '<sip:[email protected]>' failed for '62.210.15.255:2879' - Wrong password
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] bridge_channel.c: Channel SIP/200-00002839 left 'simple_bridge' basic-bridge <9cacaff9-ebfc-467e-a94e-a0ef1c2b99e7>
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] app_macro.c: Spawn extension (macro-dialout-trunk, s, 22) exited non-zero on 'SIP/200-00002839' in macro 'dialout-trunk'
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] pbx.c: Spawn extension (from-internal, 16055621299, 5) exited non-zero on 'SIP/200-00002839'
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] pbx.c: Executing [h@from-internal:1] Hangup("SIP/200-00002839", "") in new stack
[2019-08-24 15:13:14] VERBOSE[29798][C-0006b7d7] pbx.c: Spawn extension (from-internal, h, 1) exited non-zero on 'SIP/200-00002839'
[2019-08-24 15:13:14] VERBOSE[29800][C-0006b7d7] bridge_channel.c: Channel SIP/TELNYX-0000283a left 'simple_bridge' basic-bridge <9cacaff9-ebfc-467e-a94e-a0ef1c2b99e7>
[2019-08-24 15:13:15] WARNING[3463] chan_sip.c: Timeout on 1979003382-105834168-1709094816 on non-critical invite transaction.
[2019-08-24 15:13:29] VERBOSE[3463][C-0006b7dd] netsock2.c: Using SIP RTP TOS bits 184
[2019-08-24 15:13:29] VERBOSE[3463][C-0006b7dd] netsock2.c: Using SIP RTP CoS mark 5
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [16055621201@from-internal:1] Macro("SIP/200-0000283b", "user-callerid,LIMIT,EXTERNAL,") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:1] Set("SIP/200-0000283b", "TOUCH_MONITOR=1566684809.659130") in new stack
[2019-08-24 15:13:29] VERBOSE[29814][C-0006b7dd] pbx.c: Executing [s@macro-user-callerid:2] Set("SIP/200-0000283b", "AMPUSER=200") in new stack
 

nateornat

Member
Joined
May 15, 2009
Messages
100
Reaction score
9
Do you have an extension 200? If you do, have you checked it's Follow Me, or call forwarding? Also if you do, have you physically gone to the phone and checked for call forwarding directly on the extension?


Yes, we do have an x200. I have checked the UCP and do not currently see call forwarding enabled. I have not been to the site to physically look at the phone.
I did notice the UCP password was pretty weak, so i changed that, But would like to know where this breach happened for future reference.
Thanks Guys for looking into this.
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
SIP user 200 is placing the calls. Change the password and see whether the problem goes away. If it does, perhaps your phone was compromised, or the password was guessed. If the problem continues, someone's probably in your PBX.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
SIP user 200 is placing the calls. Change the password and see whether the problem goes away. If it does, perhaps your phone was compromised, or the password was guessed. If the problem continues, someone's probably in your PBX.


OR - they have the forward initiated on the handset itself, so the UCP won't show it. I've seen clients that get confused, and think they are forwarding a single call when instead they are doing a forward all on their phone. Really becomes fun when they're in a ring group and nobody can find out why inbound calls start going to someplace they shouldn't.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
OR - they have the forward initiated on the handset itself, so the UCP won't show it. I've seen clients that get confused, and think they are forwarding a single call when instead they are doing a forward all on their phone. Really becomes fun when they're in a ring group and nobody can find out why inbound calls start going to someplace they shouldn't.
Hence my comment above.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
Since your PBX is open to the world, have you confirmed the registered IP of the phone matches where the phone is actually located? It really does appear extension 200 is placing these calls.
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top