1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. Guest: We think the problem with locked threads from long message subjects has been resolved. Post a link here if you still see a problem.
Cookies Welcome Back Long Message Subjects SOLVED

ALERT please report hacks

Discussion in 'Open Discussion' started by anonymous, Sep 16, 2008.

Page 1 of 5

  1. anonymous New Member

    I am currently working on a personal project to find and assist sites that have had their asterisk servers hacked into.

    If your asterisk server has been hacked, please send me a personal message with a way to contact you and whether you'd like to remain anonymous.

    Thank you,
    anonymous
    anonymous, Sep 16, 2008
    #1

  2. MisterQ New Member

    Is it just me, or do others get nervous about someone who won't tell you who they are, offering to "fix your security".
    MisterQ, Oct 23, 2008
    #2

  3. wardmundy Nerd Uno

    In this case, there's a good reason for the anonymity. But I can't tell you what it is, or we'd have to... :cool:
    wardmundy, Oct 23, 2008
    #3

  4. cosmicwombat Guru

    Be that as it may....

    I notice no one is talking to the shadow.

    MisterQ, I brought that up before too. Shortly thereafter was a knock at the door and a rather large fellow told me we were going for a ride... He said hello to my little friend...

    I prefer a little more open dialogue.
    cosmicwombat, Oct 23, 2008
    #4

  5. wardmundy Nerd Uno

    This individual has provided us a number of gratis security fixes and tips. His employer has a strict non-disclosure policy. We like getting the fixes. If you want to see what's happened without the fixes, visit the Lime Green forum. :rolleyes5:
    wardmundy, Oct 23, 2008
    #5

  6. MisterQ New Member

    Thanks, ward. Therein lies an area that myself and a few others more in the "Security space" have been theorizing about.

    With the ability to "create" identities, in seconds, there is a need to validate anonymity, with identity endorsement.

    Similar to what you have done. a nom de plume, but with a non-revealing endorsement from a trusted associate.

    Separation of the person's information from their identity is a good start, but then most people can't comprehend that, or compartmentalized security systems, or the like.

    Peter
    MisterQ, Oct 23, 2008
    #6

  7. anonymous New Member

    Peter,

    thanks for understanding.

    What Ward said is somewhat true although taken along an amusing tangent. The other reason for this has to do with safety. At least one hack I've helped with has implications of it being related to organized crime.
    anonymous, Oct 27, 2008
    #7

  8. cosmicwombat Guru

    I guess the question I have is are you getting reports going this route?

    As a former investigator of organized crime, I'd get real quiet around anything to do with that connection too.

    I am well clear now and personally hand those things up immediately and stay clear.

    I could tell you just how ugly that can get... But...
    cosmicwombat, Oct 27, 2008
    #8

  9. tel0p Guru

    wow this thread is all spook'y. happy Halloween. :piggy:

    As for 'anon' making security contributions, I'm curious about your protocol on this..
    do you keep the info and repair the prob then release a patch (via update-fixes?)

    It 'd be interesting to learn more about what's being done proactively as opposed to waiting for someone to post a nightmare (on voip street).

    Is there a hidden forum topic we're missing or are these just one-off quick-fixes in private?
    tel0p, Oct 28, 2008
    #9

  10. wardmundy Nerd Uno

    We receive security tips from a number of sources, both named and unnamed. Security fixes affecting unpublicized flaws are merely incorporated into update-fixes. They usually are not highlighted for obvious reasons.

    If we're jumping up and down recommending that folks run update-fixes, there's usually a very good reason why. Also be sure to review the Stickies at the top of the Bug Reporting and Fixes Forum. :coolgleamA:
    wardmundy, Oct 28, 2008
    #10

  11. anonymous New Member

    Yes, and unfortunately I didn't setup email notifications correctly so I missed a couple that I could have helped with.

    I got busy with various life things and hadn't checked in lately because I'd seen no emails or responses here...

    Argh! :banghead:

    I will try to be better in the future and to those that I missed out on, my apologies. If you still need help I'm more than happy to give it.
    anonymous, Oct 28, 2008
    #11

  12. g711 Guru

    Okay, I just got hacked. I was a little slow on the 701/701 extension deal. The hack came out of a data center in Quebec. They made about 30 calls from a dialer before I could pull the plug. The dialer was asking the people to activate their account by entering in their credit card number. Live and learn. If you have this going on and you have not heeded Ward's warnings on this, well get it done now!! Other wise you could have the FBI knocking on your door for Credit Card fraud.
    g711, Nov 7, 2008
    #12

  13. wardmundy Nerd Uno

    In addition to adding secure passwords for your extensions, make sure you install the new version of Fail2Ban. It obviously won't help a bit if your extension passwords still match your extensions. :cool:
    wardmundy, Nov 7, 2008
    #13

  14. g711 Guru

    Done and Done ....thanks
    g711, Nov 7, 2008
    #14

  15. mkhurrum New Member

    I had the same thing happen - what are the steps or fixes I need to avoid this - please let me know.

    Thanks,
    M
    mkhurrum, Dec 2, 2008
    #15

  16. wardmundy Nerd Uno

    Please read comment #13 above. Use very secure extension passwords as if your phone bill depended upon it... It does. :eekb:
    wardmundy, Dec 2, 2008
    #16

  17. wardmundy Nerd Uno

    Yet another green vulnerability from who knows where. Just to be on the safe side, you might want to check whether any strange files are living in your /var/tmp and /tmp directories and then do a search for a file named stealth:
    Code:
    find / -name stealth
    wardmundy, Jan 2, 2009
    #17

  18. anonymous New Member

    email address updated

    I have just updated my email address so that PM's and replies to this thread can be forwarded to my mobile phone.

    This should correct my slow response in getting back to people.
    anonymous, Jan 29, 2009
    #18

  19. troycarpenter Guru

    I got some "unauthorized usage" this morning. It was a password attack. Even though the password was nothing like the extension, the password was related to the function of the room the phone is in. From a telephony point of view, there wasn't anything that would tip you off to the password...in hindsight, though, it turns out the password was pretty common for a password crack program :(

    I did disable the outgoing trunks so I could do some IP traces. Here's the IP address I saw in the SIP headers:
    Code:
    dig -x 85.17.141.101

; <<>> DiG 9.4.2-P1 <<>> -x 85.17.141.101
;; global options:  printcmd             
;; Got answer:                           
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9042
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;101.141.17.85.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
101.141.17.85.in-addr.arpa. 86400 IN    PTR     linux3.tescilet.net.
    Once I changed the password on the extension being used, it looks like no more unauthorized outgoing calls are being made...at least there are no more outgoing call messages on the asterisk console.

    I just installed fail2ban, and I would expect to see some logs showing about the password now failing. Perhaps I didn't configure it correctly? I do have the /var/log/fail2ban.log that shows this at startup:
    Code:
     tail -F fail2ban.log
2009-03-13 11:52:16,547 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2009-03-13 11:52:16,550 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' started
2009-03-13 11:52:16,554 fail2ban.jail   : INFO   Jail 'apache-badbots' started
2009-03-13 11:52:16,558 fail2ban.jail   : INFO   Jail 'vsftpd-iptables' started
2009-03-13 11:52:17,721 fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100
2009-03-13 11:52:17,741 fail2ban.actions.action: ERROR  iptables -N fail2ban-VSFTPD
iptables -A fail2ban-VSFTPD -j RETURN
iptables -I INPUT -p tcp --dport ftp -j fail2ban-VSFTPD returned 100
    troycarpenter, Mar 13, 2009
    #19

  20. troycarpenter Guru

    Ok, the hack attempts are still coming in even after I setup the fail2ban software. I think the attacker is trying to make phone calls without having his client registered because none of these attempts are being picked up by fail2ban. Here's a sample of the SIP messages:
    Code:
    <--- SIP read from 85.17.141.101:5060 ---> 
INVITE sip:13302600911@79.97.46.100 SIP/2.0
Via: SIP/2.0/UDP 85.17.141.101:5060;branch=z9hG4bK4acd1ddd;rport
From: "asterisk" <sip:1000@79.97.46.100>;tag=as6a6dcef8
To: <sip:13302600911@79.97.46.100>
Contact: <sip:1000@85.17.141.101>
Call-ID: 0c1a9b432ef76e8e56f765842f0ce6f2@79.97.46.100     
CSeq: 102 INVITE
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Fri, 13 Mar 2009 17:45:40 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Type: application/sdp
Content-Length: 289

v=0
o=root 18753 18753 IN IP4 85.17.141.101
s=session
c=IN IP4 85.17.141.101
t=0 0
[snip audio details]
<------------->
--- (14 headers 14 lines) ---
Sending to 85.17.141.101 : 5060 (NAT)
Using INVITE request as basis request - 0c1a9b432ef76e8e56f765842f0ce6f2@79.97.46.100
Found user '1000', but fails host access
Found no matching peer or user for '85.17.141.101:5060'
[snip]
Looking for 13302600911 in from-sip-external (domain 79.97.46.100)
list_route: hop: <sip:1000@85.17.141.101>
    In this listing:
    1000 is the not-actual extension being hacked.
    79.97.46.100 is my not-actual external IP address
    85.17.141.101 is the ACTUAL hacker's IP address (or proxy)

    I started seeing the failure messages on the console when I set the verbosity up high AND changed the permit IP/mask to my internal network as recommended in the security tips. I'm still seeing the messages, although the unknown peer number changes every time. Right now they are in the 740 area code.

    This is one of the things I though fail2ban would catch, but it seems to only catch registration failures, not failures like the one above.
    troycarpenter, Mar 13, 2009
    #20
Page 1 of 5

Share This Page