ALERT Possible Sangoma Portal Breach

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We have been advised that the Sangoma Portal may have been compromised. Anecdotal evidence is mounting that servers running services activated through the Sangoma Portal may have been compromised resulting in very expensive phone bills. Since the outset, one of our primary objections to the Sangoma portal design was/is that it may provide Sangoma with either root level access to your server or the functional equivalent through the expanded use of asterisk user permissions.

In addition to reading the thread on the FreePBX Forum about this, you also should immediately check your servers for evidence of compromise particularly if you have a business relationship with Sangoma or credentials in their portal.

PLEASE REPORT BACK IF YOU FIND A PROBLEM!! IMMEDIATELY TAKE YOUR SERVER OFF LINE!!

First, check /root/.bashrc for alias cd and alias exit lines. They should not be there!

Second, run the following commands to determine if these files exist on any of your servers. The latter one may be in /var/www.hmtl/ (not sure if this is a dual typo or not).
Code:
find / -name wbc.php
find / -name .asterisk.php

Third, check your /var/log/httpd/access_log for entries that include .asterisk.php or 5.79.73.246. There may be multiple (older) access logs! Numerous other IP addresses to check here.

Fourth, check /var/log/secure for SSH entries that appear from users or sites you don't own. Ditto on older versions of the SSH log.

Fifth, check your user list for an ssh user. sshd is OK, but not ssh.
Code:
cat /etc/passwd | cut -d ":" -f1 | grep ssh

If your server is running Travelin' Man 3 and your IPtables firewall is not disabled and you have not whitelisted the Sangoma Portal, your server still may have been compromised since the .asterisk.php script uses Asterisk to place outbound calls on your nickel. However, we believe the whitelist would have prevented access by the bad guys to both SSH and your web GUI.
 
Last edited:

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
They don't utilize your whitelist iptables model do they?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
No mention of wiping your server after it's compromised. Apparently never heard of rootkits. But these are the experts so it'll be OK. Makes me want to go dig up Rob's condescending comments when he first introduced his firewall creation. :death:
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top