ALERT Possible Sangoma Portal Breach

Discussion in 'Today's Tech News & Events' started by wardmundy, Apr 29, 2017.

  1. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,351
    Likes Received:
    2,442
    We have been advised that the Sangoma Portal may have been compromised. Anecdotal evidence is mounting that servers running services activated through the Sangoma Portal may have been compromised resulting in very expensive phone bills. Since the outset, one of our primary objections to the Sangoma portal design was/is that it may provide Sangoma with either root level access to your server or the functional equivalent through the expanded use of asterisk user permissions.

    In addition to reading the thread on the FreePBX Forum about this, you also should immediately check your servers for evidence of compromise particularly if you have a business relationship with Sangoma or credentials in their portal.

    PLEASE REPORT BACK IF YOU FIND A PROBLEM!! IMMEDIATELY TAKE YOUR SERVER OFF LINE!!

    First, check /root/.bashrc for alias cd and alias exit lines. They should not be there!

    Second, run the following commands to determine if these files exist on any of your servers. The latter one may be in /var/www.hmtl/ (not sure if this is a dual typo or not).
    Code:
    find / -name wbc.php
    find / -name .asterisk.php
    
    Third, check your /var/log/httpd/access_log for entries that include .asterisk.php or 5.79.73.246. There may be multiple (older) access logs! Numerous other IP addresses to check here.

    Fourth, check /var/log/secure for SSH entries that appear from users or sites you don't own. Ditto on older versions of the SSH log.

    Fifth, check your user list for an ssh user. sshd is OK, but not ssh.
    Code:
    cat /etc/passwd | cut -d ":" -f1 | grep ssh
    If your server is running Travelin' Man 3 and your IPtables firewall is not disabled and you have not whitelisted the Sangoma Portal, your server still may have been compromised since the .asterisk.php script uses Asterisk to place outbound calls on your nickel. However, we believe the whitelist would have prevented access by the bad guys to both SSH and your web GUI.
     
    #1 wardmundy, Apr 29, 2017
    Last edited: Apr 29, 2017
  2. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,345
    Likes Received:
    322
    They don't utilize your whitelist iptables model do they?
     
  3. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,351
    Likes Received:
    2,442
    Afraid not. Maybe they will now.
     
  4. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,351
    Likes Received:
    2,442
    #4 wardmundy, Apr 29, 2017
    Last edited: Apr 29, 2017
  5. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,345
    Likes Received:
    322
    If they did, this never would have happened. I've reviewed their firewall method and am happier with what we've got implemented.
     
  6. briankelly63

    Joined:
    Nov 14, 2008
    Messages:
    1,401
    Likes Received:
    319
    "understand that security is paramount" apparently they don't...
     
    wardmundy likes this.
  7. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,351
    Likes Received:
    2,442
    No mention of wiping your server after it's compromised. Apparently never heard of rootkits. But these are the experts so it'll be OK. Makes me want to go dig up Rob's condescending comments when he first introduced his firewall creation. :death:
     
    hecatae and briankelly63 like this.
  8. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,351
    Likes Received:
    2,442

Share This Page