ALERT please report hacks

thefuzz4

Member
Joined
Apr 30, 2011
Messages
71
Reaction score
4
My sincere apologies on that, I will start a new thread thank you very much blanchae
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
Well I'm not sure if this is a hacking attempt or just a DoS attack. For the last 6 days I have had 10,000 SIP register requests per minute from an IP address in China.(221.194.57.246) It's always the same register message 'aaron@...'
Right now I have set a port forwarding rule in my internet gateway firewall to send the requests back to that address. This jerk is using 6GB of my download quota per day. I think the only solution for me is to get my IP address changed and update DNS.
 

jmullinix

Guru
Joined
Oct 21, 2007
Messages
1,263
Reaction score
7
Why don't you just drop the packets. That way he will think the machine has shut down. When you send his packets back, it confirms your presence and while there is certainly some satisfaction in doing it, you are probably better off dropping the packets.
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
I was dropping the packets for 2 days and they didn't stop. My ADSL link was constantly running at 500k. I don't pay for uplink data so I sent them back. After 24 hours of that I got myself a new IP address. One other issue, fail2ban never banned the IP address because of the large number of attempts. I'm guessing there wasn't any processor time left for it to read the log files.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Well I'm not sure if this is a hacking attempt or just a DoS attack. For the last 6 days I have had 10,000 SIP register requests per minute from an IP address in China.(221.194.57.246) It's always the same register message 'aaron@...'
Right now I have set a port forwarding rule in my internet gateway firewall to send the requests back to that address. This jerk is using 6GB of my download quota per day. I think the only solution for me is to get my IP address changed and update DNS.

Most ISPs would appreciate a heads up about something like this. They can block it at the gateways and pass the information upstream.
 

imfbsbn

New Member
Joined
Mar 3, 2011
Messages
1
Reaction score
0
I have a PBXinaFlash which was hacked yesterday. I got a call from LES.NET that they most likely had root access. No idea how. I need to clear and put this machine back into service asap. PM me if you want more info.
 

chemcat9

Guru
Joined
Apr 19, 2010
Messages
111
Reaction score
4


Not sure what the deal is, when I click on the link Firefox is tossing the error:

Method Not Implemented

GET to / not supported.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


If I google the url I am able to view the cached copy.

?
 

rossiv

Guru
Joined
Oct 26, 2008
Messages
2,624
Reaction score
139
Not sure what the deal is, when I click on the link Firefox is tossing the error:

Method Not Implemented

GET to / not supported.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


If I google the url I am able to view the cached copy.

?
Works for me.
 

jehowe

Guru
Joined
Nov 14, 2007
Messages
288
Reaction score
4
Zero-day http exploits.....

Keep port 80 closed! The FreePBX forum is reporting some serious http exploits that affect current CentOS installs (5.5, 5.6, 6.0) that have bit a few dozen FreePBX/Schmooze clients this week.

It doesn't yet seem like everything has been sorted out yet, and no explanation as to exactly what these exploits are targeting in apache, but they are pushing out an update to the FreePBX distro to plug the holes......

freepbx.org/news/2011-08-11/security-advisory-web-services-aug-11-2011
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Please review Today's Security Announcement and advise us if your system is hacked. This is a precautionary measure. No successful hacks of PIAF systems have been reported to the PIAF Dev Team by PIAF users nor have any reports of PIAF compromised systems been documented on any forum of which we are aware. Thanks.
 

iconicflux

Guru
Joined
Apr 18, 2010
Messages
6
Reaction score
0
please forward those that get hacked on to me..

If you've been hacked and need some help, ask Ward or John Mullinix to give you my contact information.

Unfortunately, I sometimes don't check this site as often as I'd like because I have both a son under a year old and a wife that's sick.

Thanks,
 

The Deacon

Guru
Joined
Jan 29, 2008
Messages
296
Reaction score
14
Don't know if this is an issue or not, but wanted to bring this to everyone's attention...

Just built a new PIAF2 box on Proxmox (needed to add Incredible Fax to the mix, so I needed a beefier box). I also need to transfer all my CDR information (pending litigation will probably require me to have a list of all the calls I have received from the soon-to-be defendant).

After I imported my CDR logs, I decided to run a few reports to make sure that I still had my data intact. What I saw was about 950+ entries that had a clid of "unknown" <unknown> and a dcontext of 'from-sip-external' and most of them had lastapp of "congestion" but ALL had duration from between 7 to 13 seconds and a disposition of "ANSWERED". They are also from various IP addresses (although this query shows a single IP address).

You can run this against your own box and see if you've been "visited" as well:

Code:
root@pbx:~ $mysql -p
mysql> select * from cdr where dcontext='from-sip-external';
Here is a snippet of the query:
Code:
mysql> select * from cdr where calldate > "2012-01-25" and dcontext='from-sip-external' limit 10;
+---------------------+---------------------+---------+-----+-------------------+----------------------------+------------+------------+----------+----------+---------+-------------+----------+-------------+----------+-----------+
| calldate            | clid                | src     | dst | dcontext          | channel                    | dstchannel | lastapp    | lastdata | duration | billsec | disposition | amaflags | accountcode | uniqueid | userfield |
+---------------------+---------------------+---------+-----+-------------------+----------------------------+------------+------------+----------+----------+---------+-------------+----------+-------------+----------+-----------+
| 2012-01-25 08:25:55 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000000 |            | Congestion | 5        |       13 |      13 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:25:56 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000001 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:25:58 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000002 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:26:00 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000003 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:26:02 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000004 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:26:04 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000005 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:26:06 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000006 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:26:08 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000007 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:26:10 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000008 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
| 2012-01-25 08:26:12 | "unknown" <unknown> | unknown | s   | from-sip-external | SIP/195.137.189.2-00000009 |            | Congestion | 5        |       12 |      12 | ANSWERED    |        3 |             |          |           |
+---------------------+---------------------+---------+-----+-------------------+----------------------------+------------+------------+----------+----------+---------+-------------+----------+-------------+----------+-----------+
10 rows in set (0.01 sec)
 

stanjohn

Not quite right
Joined
Apr 18, 2011
Messages
144
Reaction score
22
Last nite received about 100 calls from this same ip address, 195.137.189.2 , 50 or less made a very short voicemail. The ones I was able to answer I heard nothing but I did see some tones in the log. My guess is they were looking for a extention that would redirect them to a dialtone/out bound trunk. Stanley
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Just a reminder that Proxmox 1,2 and 3 are VULNERABLE if exposed in any way to the Internet. There is a kernel issue that may compromise every app running on your box. Proxmox and PIAF systems running with or without Proxmox should only be used behind a secure, hardware-based firewall with NO Internet exposure and no ports redirected to any server.
 

phonebuff

Guru
Joined
Feb 7, 2008
Messages
1,115
Reaction score
129
26 Fail to ban messages. AKA: every 30 +/-- Mins...

The IP 46.165.195.143 has just been banned by Fail2Ban after
172 attempts against ASTERISK. {21:05 2/4}

The IP 46.165.195.143 has just been banned by Fail2Ban after
212 attempts against ASTERISK. {09:36 2/5}
-------------

Here are more information about 46.165.195.143:

[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '46.165.192.0 - 46.165.199.255'

inetnum: 46.165.192.0 - 46.165.199.255
netname: NETDIRECT-NET
descr: Leaseweb Germany GmbH (previously netdirekt e. K.)
remarks: INFRA-AW
country: DE
admin-c: WW200-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top