bypass calls using elastix

Discussion in 'General' started by metrocom, May 1, 2010.

  1. metrocom

    Joined:
    Apr 30, 2010
    Messages:
    3
    Likes Received:
    0
    We recently installed an elastix PBX, now after 30 days we found bypass traffic to countries like Iran, Afaganistan. Is it posible that the download had a configuration to make this calls using a configuration made by someone that would be making money doing bypass calls with the elastix software. How can we know if this was done by the elastix software.
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    No, there are no security weaknesses in the latest Elastix or Asterisk, apart from what you yourself compromise.

    There is a "Security" forum here that might help you, but basically NEVER use the same password as the extension, I suggest at least 12 random alphanumeric characters for a secure password, do not allow "anonymous sip calls" unless you really need it, and only allow sip connections on your firewall (udp/5060) from trusted IP address space.

    On a similar but more critical vein, your root password should be as least as secure , or they will steal your voip credentials and not even need to use you as a "bypass"


    dicko
     
  3. metrocom

    Joined:
    Apr 30, 2010
    Messages:
    3
    Likes Received:
    0
    tks for your prompt response, this machines is running under a private network, no expose to public IP, so I wanted to make sure is by any change there is a posibility of a corrupted elastix version or a version that would do this bypass calls once it is installed. The systemas has internet access without being exposed to internet. This is a question before thinking that this passwords steel has been done from inside the company.

    My main concern is if there is a chance of a corrupted or bad intentioned elastix download version history?
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    It is quite simple (I don't quite understand you're somewhat contradictory statements)

    If you take and make calls through the internet you are exposed, if you have no access to the internet then it is of course an internal matter.

    and no there is no chance that it is an impugned Elastix if you got it from Elastix, check and verify my original security concerns are met as to your deployment.

    dicko
     
  5. metrocom

    Joined:
    Apr 30, 2010
    Messages:
    3
    Likes Received:
    0
    do you think there is a chance that the download had a demon to run automatically? once isntalled and find information of the system and find a way to configure itself?

    The systems was not exposed to internet inbound, only outbound,

    if there a way is the systema was used as a relay for other asterisk, is there a log where we can find this kind of history?
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    There is nothing in the "code" to worry about, as I said before, if you allow connections on port 5060 and have weak passwords, you WILL be compromised very quickly. If you allow connections on port 22 and have a weak root password, then be even more concerned.
    All logs are in /var/log/, each log has a time stamp.

    /var/log/secure will show all the attempts against your ssh server.

    /var/log/asterisk/full* are daily rotated logs that will show any unauthorized registration and phone calls

    grep -iE "register|authentic" /var/log/asterisk/full*

    will show you the ip and extension of each successful registration. if you don't recognise the ip then . . .

    nmap -sUT <your external IP address>

    from a "real" computer (non windows) outside your network will show you much add, -p 1-65535 for a longer and deeper look.

    dicko
     
  7. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    moved this post to security forum, where it should be posted.
     

Share This Page