ALERT Possible Sangoma Portal Breach

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,938
Reaction score
2,574
We have been advised that the Sangoma Portal may have been compromised. Anecdotal evidence is mounting that servers running services activated through the Sangoma Portal may have been compromised resulting in very expensive phone bills. Since the outset, one of our primary objections to the Sangoma portal design was/is that it may provide Sangoma with either root level access to your server or the functional equivalent through the expanded use of asterisk user permissions.

In addition to reading the thread on the FreePBX Forum about this, you also should immediately check your servers for evidence of compromise particularly if you have a business relationship with Sangoma or credentials in their portal.

PLEASE REPORT BACK IF YOU FIND A PROBLEM!! IMMEDIATELY TAKE YOUR SERVER OFF LINE!!

First, check /root/.bashrc for alias cd and alias exit lines. They should not be there!

Second, run the following commands to determine if these files exist on any of your servers. The latter one may be in /var/www.hmtl/ (not sure if this is a dual typo or not).
Code:
find / -name wbc.php
find / -name .asterisk.php
Third, check your /var/log/httpd/access_log for entries that include .asterisk.php or 5.79.73.246. There may be multiple (older) access logs! Numerous other IP addresses to check here.

Fourth, check /var/log/secure for SSH entries that appear from users or sites you don't own. Ditto on older versions of the SSH log.

Fifth, check your user list for an ssh user. sshd is OK, but not ssh.
Code:
cat /etc/passwd | cut -d ":" -f1 | grep ssh
If your server is running Travelin' Man 3 and your IPtables firewall is not disabled and you have not whitelisted the Sangoma Portal, your server still may have been compromised since the .asterisk.php script uses Asterisk to place outbound calls on your nickel. However, we believe the whitelist would have prevented access by the bad guys to both SSH and your web GUI.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,938
Reaction score
2,574
No mention of wiping your server after it's compromised. Apparently never heard of rootkits. But these are the experts so it'll be OK. Makes me want to go dig up Rob's condescending comments when he first introduced his firewall creation. :death:
 

Members online

No members online now.

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,266
Messages
136,464
Members
14,500
Latest member
yeoldroundabout