"Comedian Mail" msg. and VMail auth. not working

Discussion in 'General' started by sfeldberg, Jul 23, 2009.

  1. sfeldberg

    Joined:
    Jul 23, 2009
    Messages:
    3
    Likes Received:
    0
    This is a strange one. Let me start by saying I am a newbie at working with Asterisk/Elastix/FreePBX on the admin side. I have inherited a functional system and there have been no changes made in the past few days that I am aware of.

    I went to check my voicemail from my phone this AM and instead of hearing the "Password" greeting I hear "Comedian Mail" and my extension and password combo do not work. I go to my FreePBX VMail portal and try to log in using my extension and password and I get "Invalid username and password". I am thinking WTF did my system get hacked?!

    I was able to get into the Elastix GUI and the FreePBX GUI using the expected passwords and all configurations seemed normal.

    I decided that I would try to restore my system from the nightly FreePBX backup that ran last night. Here is where things get wacky:

    When I do the restore and apply the configuration changes in FreePBX all of the *97 VMail and VMail portal logins are restored. However, there is an Outbound callerID string that we use to allow an external Asterisk system to send the calls out different trunks. The CallerID configuration shows up in the GUI but call traces show that the CallerID is not being appended and the calls are dropped. I have found that deleting and re-creating the CallerID configuration restores the functionality.

    **BUT**

    I have also found that if I make any other changes, in FreePBX or in Elastix GUI, and apply the configuration the *97 VMail goes back to "Comedian Mail" and the portal logins are broken again although those settings have not been touched.:blink:

    I am at a loss here and would appreciate any help that this forum would provide.

    Steve
     
  2. Baez

    Joined:
    Aug 9, 2008
    Messages:
    50
    Likes Received:
    0
    Check the voicemail.conf file.
    Maybe is corrupted and you need to clean it.
     
  3. sfeldberg

    Joined:
    Jul 23, 2009
    Messages:
    3
    Likes Received:
    0
    I have since resolved my issue. As Baez mentioned in his post the problems were caused by the voicemail.conf file. When I would apply a configuration change in either Elastix PBX or FreePBX GUI the voicemail.conf file would be blanked out. I do not know why this is happening. I was able to resolve my issue by restoring the PBX from backup and then manually editing the voicemail.conf file.

    I have since noticed that the text in my e-mail attachments from the Asterisk system have changed. The old message text was:

    SFeldberg-301,

    There is a new voicemail in mailbox 301:

    From: "Unknown" <7278530550>
    Length: 0:13 seconds
    Date: Tuesday, July 14, 2009 at 05:35:41 PM

    Dial *98 to access your voicemail by phone.
    Visit http://vmail.iiscommunications.com/recordings/index.php to check your voicemail with a web browser.

    The new message text is:

    Dear TeamLogic IT 301:

    Just wanted to let you know you were just left a 0:30 long message (number 1) in mailbox 301 from A FLUENT VISION, on Monday, July 27, 2009 at 09:36:51 AM so you might want to check it when you get a chance. Thanks!

    --Asterisk

    So it appears that there were some changes to several voicemail configuration files in the middle of last week. There were no manual updates done and as far as I know the FreePBX modules do not auto-update.

    Can anyone explain how these files could have been changed?

    Steve
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    If you know nothing about "Teamlogic it" (apparently a security related company, recently these companies have been under increasing VOIP exploitation attack) especially if your sip password for 301 is not particularly strong, and I were you I would suspect my system might have been compromised.

    I would examine the log files at /var/log/asterisk/full* and /var/log/secure* and /var/log/httpd/* files in detail.

    (perhaps filtered by :
    grep -Hi "registered SIP" /var/log/asterisk/full*|grep -v <your network's first three octets> |less
    and

    cat /var/log/secure*|grep Successful

    (cat /var/log/secure*|grep -i failed|less , also but that's just incredibly tedious when ssh is running on port 22)

    (cos they are usually quite big, the first will identify non-local registrations, the second successful logins to your system, these are not the only exploits to check for,(there are literally dozens), but comparing the mtime on the(presumably) modified vm* files to the red flags in the logs (provided the logs have not aged out (5 days by defgault)) are often forensic, if those IP addresses revealed are not known to you then you are probably screwed!
    )


    also in /etc/asterisk there are files:

    vm_email.inc
    vm_general.inc

    normally unless you have modified them otherwise (check the mtime) they would never do that to your notification emails.



    dicko


    p.s.

    These are the ports exposed to the knuckle-draggers from your Elastix Box:

    Discovered open port 22/tcp on 70.x.x.x
    Discovered open port 25/tcp on 70.x.x.x
    Discovered open port 21/tcp on 70.x.x.x
    Discovered open port 443/tcp on 70.x.x.x
    Discovered open port 80/tcp on 70.x.x.x
    Discovered open port 749/tcp on 70.x.x.x
    Discovered open port 111/tcp on 70.x.x.x
    Discovered open port 2000/tcp on 70.x.x.x
    Discovered open port 993/tcp on 70.x.x.x
    Discovered open port 3306/tcp on 70.x.x.x
    Discovered open port 143/tcp on 70.x.x.x
    Discovered open port 110/tcp on 70.x.x.x
    Discovered open port 995/tcp on 70.x.x.x
    Discovered open port 4559/tcp on 70.x.x.x

    PORT STATE SERVICE
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop3
    111/tcp open rpcbind
    143/tcp open imap
    443/tcp open https
    749/tcp open kerberos-adm
    993/tcp open imaps
    995/tcp open pop3s
    2000/tcp open callbook
    3306/tcp open mysql
    4559/tcp open hylafax


    I suggest that is more than you wanted to expose to everybody from China to Latvia (and me too!)
    Further I suggest you edit your previous posts to reduce the risk from this point on, these guys might be knuckle-draggers, but the guys who wrote the scripts they use are NOT STUPID!!

    As a warning to all, be very careful what you post here to identify your boxes, and NEVER, EVER put your Elastix box in the DMZ, by default it is far too insecure to be out there without an effective firewall.

    JM2CW as ever
     
  5. sfeldberg

    Joined:
    Jul 23, 2009
    Messages:
    3
    Likes Received:
    0
    Baez,

    Thank you for pointing that out. Can you recommend a document that details how to disable unused services and/or lock down the open ports?

    Steve
     

Share This Page