Continuous Dialing of phone numbers

[rndinokc]

Last night I got an email from broadvoice and was advised that I had violated their terms of service agreement.  It seems that my LMCE system had been making numerous phone calls out in a somewhat random sequence.  The system made 100's of calls without my knowledge spaced 20-30 seconds apart.  Broadvoice stopped the outgoing calls but the Core continued to dial throughout the night since I was not present to stop it.  Has anyone heard of such a thing?  Has my system been hacked?  I rebooted the system and it immediately began making calls again.  Any ideas would be greatly appreciated as I do not want to have to reload and if there was a hack how do I prevent it in the future? 
Thanks,
Randy

[dlewis]

hmm... This sounds very weird. What were the duration of the calls? Could you provide a log?

[rndinokc]

At present time I have shut down the system.  Can you please assist me with obtaining the log?  I would be happy to try and find out what happened.
Thanks,
Randy

[dlewis]

there are two places the call logs are stored. One which is the logs as they are exported in /var/log/asterisk/cdr-*, the second place is in the mysql databases. There is a call log table that contains those entries that you see displayed via the GUI interface. You'll find it in database asteriskcdrdb, called cdr.

[Marie.O]

Please update your system using apt-get update, and do a sqlCVS update as well. Following that, fill in new passwords for your phones (the field secret). After that is done, reboot your system. and verify that your /etc/asterisk/sip_additional.conf file contain the new passwords. The Orbiter phones will pick up the password, other SIP and IAX based phones need to have the secret updated manually.

[rndinokc]

I am searching for the logs.  I spoke with the broadvoice people and they informed me that I was probably hacked.  I know sometimes it is a catch all answer but I think that was probably what happened.  Is there a way to see if any one tampered with the system?  Logs should be coming soon.
Thanks,
Randy

[dlewis]

The logs would tell something... Do what posde said as well.

[rndinokc]

This is probably a stupid question but where is the field "secret" found?
Thanks,
Randy

[dlewis]

check /etc/asterisk/sip_additional.conf

[rndinokc]

I changed the password for the orbiter phone in MCE admin but it did not change in the sip_additional.conf file.  Am I not changing the password in the correct place?  I really do appreciate everyone taking the time to answer my questions.
Thanks,
Randy

[rndinokc]

Thanks for the help.  I found the secret setting on FreePBX and confirmed it in sip_additional.conf.  The only question I have now is that I have a 7940 cisco and in FreePBX there is no secret field.  How do I insure this is protected?
Thanks,
Randy

[Marie.O]

Thanks for the help.  I found the secret setting on FreePBX and confirmed it in sip_additional.conf.  The only question I have now is that I have a 7940 cisco and in FreePBX there is no secret field.  How do I insure this is protected?
Thanks,
Randy

What device template is used for the 7940?

[rndinokc]

I am using the 7970 template.  It seems to work just fine.
Thanks,
Randy

[Marie.O]

I am using the 7970 template.  It seems to work just fine.

The extension for the 7970 is no problem, as it uses SCCP and not SIP. No secret needed.

[rndinokc]

Thank you for your help with this.  I think I have a much more secure system now.  I was getting call back from the hundred or so people my system called and evidently whoever hijacked the system has not very nice.  But I appreciate all the hard work the developers have done.  Happy New Year.
Thanks,
Randy