ALERT please report hacks

anonymous

New Member
Joined
Sep 13, 2008
Messages
6
Reaction score
0
I am currently working on a personal project to find and assist sites that have had their asterisk servers hacked into.

If your asterisk server has been hacked, please send me a personal message with a way to contact you and whether you'd like to remain anonymous.

Thank you,
anonymous
 

MisterQ

Member
Joined
Dec 11, 2007
Messages
188
Reaction score
5
Is it just me, or do others get nervous about someone who won't tell you who they are, offering to "fix your security".
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
In this case, there's a good reason for the anonymity. But I can't tell you what it is, or we'd have to... :cool:
 
Joined
Nov 2, 2007
Messages
498
Reaction score
0
Be that as it may....

I notice no one is talking to the shadow.

MisterQ, I brought that up before too. Shortly thereafter was a knock at the door and a rather large fellow told me we were going for a ride... He said hello to my little friend...

I prefer a little more open dialogue.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
This individual has provided us a number of gratis security fixes and tips. His employer has a strict non-disclosure policy. We like getting the fixes. If you want to see what's happened without the fixes, visit the Lime Green forum. :rolleyes5:
 

MisterQ

Member
Joined
Dec 11, 2007
Messages
188
Reaction score
5
Thanks, ward. Therein lies an area that myself and a few others more in the "Security space" have been theorizing about.

With the ability to "create" identities, in seconds, there is a need to validate anonymity, with identity endorsement.

Similar to what you have done. a nom de plume, but with a non-revealing endorsement from a trusted associate.

Separation of the person's information from their identity is a good start, but then most people can't comprehend that, or compartmentalized security systems, or the like.

Peter
 

anonymous

New Member
Joined
Sep 13, 2008
Messages
6
Reaction score
0
Peter,

thanks for understanding.

What Ward said is somewhat true although taken along an amusing tangent. The other reason for this has to do with safety. At least one hack I've helped with has implications of it being related to organized crime.
 
Joined
Nov 2, 2007
Messages
498
Reaction score
0
I guess the question I have is are you getting reports going this route?

As a former investigator of organized crime, I'd get real quiet around anything to do with that connection too.

I am well clear now and personally hand those things up immediately and stay clear.

I could tell you just how ugly that can get... But...
 

tel0p

Guru
Joined
Nov 20, 2007
Messages
195
Reaction score
0
wow this thread is all spook'y. happy Halloween. :piggy:

As for 'anon' making security contributions, I'm curious about your protocol on this..
do you keep the info and repair the prob then release a patch (via update-fixes?)

It 'd be interesting to learn more about what's being done proactively as opposed to waiting for someone to post a nightmare (on voip street).

Is there a hidden forum topic we're missing or are these just one-off quick-fixes in private?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We receive security tips from a number of sources, both named and unnamed. Security fixes affecting unpublicized flaws are merely incorporated into update-fixes. They usually are not highlighted for obvious reasons.

If we're jumping up and down recommending that folks run update-fixes, there's usually a very good reason why. Also be sure to review the Stickies at the top of the Bug Reporting and Fixes Forum. :coolgleamA:
 

anonymous

New Member
Joined
Sep 13, 2008
Messages
6
Reaction score
0
Yes, and unfortunately I didn't setup email notifications correctly so I missed a couple that I could have helped with.

I got busy with various life things and hadn't checked in lately because I'd seen no emails or responses here...

Argh! :banghead:

I will try to be better in the future and to those that I missed out on, my apologies. If you still need help I'm more than happy to give it.
 

g711

Guru
Joined
Mar 2, 2008
Messages
24
Reaction score
0
Okay, I just got hacked. I was a little slow on the 701/701 extension deal. The hack came out of a data center in Quebec. They made about 30 calls from a dialer before I could pull the plug. The dialer was asking the people to activate their account by entering in their credit card number. Live and learn. If you have this going on and you have not heeded Ward's warnings on this, well get it done now!! Other wise you could have the FBI knocking on your door for Credit Card fraud.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
In addition to adding secure passwords for your extensions, make sure you install the new version of Fail2Ban. It obviously won't help a bit if your extension passwords still match your extensions. :cool:
 
Last edited by a moderator:

mkhurrum

New Member
Joined
Oct 26, 2007
Messages
23
Reaction score
0
I had the same thing happen - what are the steps or fixes I need to avoid this - please let me know.

Thanks,
M
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Please read comment #13 above. Use very secure extension passwords as if your phone bill depended upon it... It does. :eekb:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Yet another green vulnerability from who knows where. Just to be on the safe side, you might want to check whether any strange files are living in your /var/tmp and /tmp directories and then do a search for a file named stealth:
Code:
find / -name stealth
 

anonymous

New Member
Joined
Sep 13, 2008
Messages
6
Reaction score
0
email address updated

I have just updated my email address so that PM's and replies to this thread can be forwarded to my mobile phone.

This should correct my slow response in getting back to people.
 
Joined
Nov 19, 2007
Messages
180
Reaction score
8
I got some "unauthorized usage" this morning. It was a password attack. Even though the password was nothing like the extension, the password was related to the function of the room the phone is in. From a telephony point of view, there wasn't anything that would tip you off to the password...in hindsight, though, it turns out the password was pretty common for a password crack program :(

I did disable the outgoing trunks so I could do some IP traces. Here's the IP address I saw in the SIP headers:
Code:
dig -x 85.17.141.101

; <<>> DiG 9.4.2-P1 <<>> -x 85.17.141.101
;; global options:  printcmd             
;; Got answer:                           
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9042
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;101.141.17.85.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
101.141.17.85.in-addr.arpa. 86400 IN    PTR     linux3.tescilet.net.
Once I changed the password on the extension being used, it looks like no more unauthorized outgoing calls are being made...at least there are no more outgoing call messages on the asterisk console.

I just installed fail2ban, and I would expect to see some logs showing about the password now failing. Perhaps I didn't configure it correctly? I do have the /var/log/fail2ban.log that shows this at startup:
Code:
 tail -F fail2ban.log
2009-03-13 11:52:16,547 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2009-03-13 11:52:16,550 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' started
2009-03-13 11:52:16,554 fail2ban.jail   : INFO   Jail 'apache-badbots' started
2009-03-13 11:52:16,558 fail2ban.jail   : INFO   Jail 'vsftpd-iptables' started
2009-03-13 11:52:17,721 fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100
2009-03-13 11:52:17,741 fail2ban.actions.action: ERROR  iptables -N fail2ban-VSFTPD
iptables -A fail2ban-VSFTPD -j RETURN
iptables -I INPUT -p tcp --dport ftp -j fail2ban-VSFTPD returned 100
 
Joined
Nov 19, 2007
Messages
180
Reaction score
8
Ok, the hack attempts are still coming in even after I setup the fail2ban software. I think the attacker is trying to make phone calls without having his client registered because none of these attempts are being picked up by fail2ban. Here's a sample of the SIP messages:
Code:
<--- SIP read from 85.17.141.101:5060 ---> 
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 85.17.141.101:5060;branch=z9hG4bK4acd1ddd;rport
From: "asterisk" <sip:[email protected]>;tag=as6a6dcef8
To: <sip:[email protected]>
Contact: <sip:[email protected]>
Call-ID: [email protected]     
CSeq: 102 INVITE
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Fri, 13 Mar 2009 17:45:40 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Type: application/sdp
Content-Length: 289

v=0
o=root 18753 18753 IN IP4 85.17.141.101
s=session
c=IN IP4 85.17.141.101
t=0 0
[snip audio details]
<------------->
--- (14 headers 14 lines) ---
Sending to 85.17.141.101 : 5060 (NAT)
Using INVITE request as basis request - [email protected]
Found user '1000', but fails host access
Found no matching peer or user for '85.17.141.101:5060'
[snip]
Looking for 13302600911 in from-sip-external (domain 79.97.46.100)
list_route: hop: <sip:[email protected]>
In this listing:
1000 is the not-actual extension being hacked.
79.97.46.100 is my not-actual external IP address
85.17.141.101 is the ACTUAL hacker's IP address (or proxy)

I started seeing the failure messages on the console when I set the verbosity up high AND changed the permit IP/mask to my internal network as recommended in the security tips. I'm still seeing the messages, although the unknown peer number changes every time. Right now they are in the 740 area code.

This is one of the things I though fail2ban would catch, but it seems to only catch registration failures, not failures like the one above.
 

Members online

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top