"Comedian Mail" msg. and VMail auth. not working

sfeldberg

Joined
Jul 23, 2009
Messages
3
Likes
0
Points
0
#1
This is a strange one. Let me start by saying I am a newbie at working with Asterisk/Elastix/FreePBX on the admin side. I have inherited a functional system and there have been no changes made in the past few days that I am aware of.

I went to check my voicemail from my phone this AM and instead of hearing the "Password" greeting I hear "Comedian Mail" and my extension and password combo do not work. I go to my FreePBX VMail portal and try to log in using my extension and password and I get "Invalid username and password". I am thinking WTF did my system get hacked?!

I was able to get into the Elastix GUI and the FreePBX GUI using the expected passwords and all configurations seemed normal.

I decided that I would try to restore my system from the nightly FreePBX backup that ran last night. Here is where things get wacky:

When I do the restore and apply the configuration changes in FreePBX all of the *97 VMail and VMail portal logins are restored. However, there is an Outbound callerID string that we use to allow an external Asterisk system to send the calls out different trunks. The CallerID configuration shows up in the GUI but call traces show that the CallerID is not being appended and the calls are dropped. I have found that deleting and re-creating the CallerID configuration restores the functionality.

**BUT**

I have also found that if I make any other changes, in FreePBX or in Elastix GUI, and apply the configuration the *97 VMail goes back to "Comedian Mail" and the portal logins are broken again although those settings have not been touched.:blink:

I am at a loss here and would appreciate any help that this forum would provide.

Steve
 

Baez

Joined
Aug 9, 2008
Messages
50
Likes
0
Points
0
#2
Check the voicemail.conf file.
Maybe is corrupted and you need to clean it.
 

sfeldberg

Joined
Jul 23, 2009
Messages
3
Likes
0
Points
0
#3
I have since resolved my issue. As Baez mentioned in his post the problems were caused by the voicemail.conf file. When I would apply a configuration change in either Elastix PBX or FreePBX GUI the voicemail.conf file would be blanked out. I do not know why this is happening. I was able to resolve my issue by restoring the PBX from backup and then manually editing the voicemail.conf file.

I have since noticed that the text in my e-mail attachments from the Asterisk system have changed. The old message text was:

SFeldberg-301,

There is a new voicemail in mailbox 301:

From: "Unknown" <7278530550>
Length: 0:13 seconds
Date: Tuesday, July 14, 2009 at 05:35:41 PM

Dial *98 to access your voicemail by phone.
Visit http://vmail.iiscommunications.com/recordings/index.php to check your voicemail with a web browser.

The new message text is:

Dear TeamLogic IT 301:

Just wanted to let you know you were just left a 0:30 long message (number 1) in mailbox 301 from A FLUENT VISION, on Monday, July 27, 2009 at 09:36:51 AM so you might want to check it when you get a chance. Thanks!

--Asterisk

So it appears that there were some changes to several voicemail configuration files in the middle of last week. There were no manual updates done and as far as I know the FreePBX modules do not auto-update.

Can anyone explain how these files could have been changed?

Steve
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
If you know nothing about "Teamlogic it" (apparently a security related company, recently these companies have been under increasing VOIP exploitation attack) especially if your sip password for 301 is not particularly strong, and I were you I would suspect my system might have been compromised.

I would examine the log files at /var/log/asterisk/full* and /var/log/secure* and /var/log/httpd/* files in detail.

(perhaps filtered by :
grep -Hi "registered SIP" /var/log/asterisk/full*|grep -v <your network's first three octets> |less
and

cat /var/log/secure*|grep Successful

(cat /var/log/secure*|grep -i failed|less , also but that's just incredibly tedious when ssh is running on port 22)

(cos they are usually quite big, the first will identify non-local registrations, the second successful logins to your system, these are not the only exploits to check for,(there are literally dozens), but comparing the mtime on the(presumably) modified vm* files to the red flags in the logs (provided the logs have not aged out (5 days by defgault)) are often forensic, if those IP addresses revealed are not known to you then you are probably screwed!
)


also in /etc/asterisk there are files:

vm_email.inc
vm_general.inc

normally unless you have modified them otherwise (check the mtime) they would never do that to your notification emails.



dicko


p.s.

These are the ports exposed to the knuckle-draggers from your Elastix Box:

Discovered open port 22/tcp on 70.x.x.x
Discovered open port 25/tcp on 70.x.x.x
Discovered open port 21/tcp on 70.x.x.x
Discovered open port 443/tcp on 70.x.x.x
Discovered open port 80/tcp on 70.x.x.x
Discovered open port 749/tcp on 70.x.x.x
Discovered open port 111/tcp on 70.x.x.x
Discovered open port 2000/tcp on 70.x.x.x
Discovered open port 993/tcp on 70.x.x.x
Discovered open port 3306/tcp on 70.x.x.x
Discovered open port 143/tcp on 70.x.x.x
Discovered open port 110/tcp on 70.x.x.x
Discovered open port 995/tcp on 70.x.x.x
Discovered open port 4559/tcp on 70.x.x.x

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
749/tcp open kerberos-adm
993/tcp open imaps
995/tcp open pop3s
2000/tcp open callbook
3306/tcp open mysql
4559/tcp open hylafax


I suggest that is more than you wanted to expose to everybody from China to Latvia (and me too!)
Further I suggest you edit your previous posts to reduce the risk from this point on, these guys might be knuckle-draggers, but the guys who wrote the scripts they use are NOT STUPID!!

As a warning to all, be very careful what you post here to identify your boxes, and NEVER, EVER put your Elastix box in the DMZ, by default it is far too insecure to be out there without an effective firewall.

JM2CW as ever
 

sfeldberg

Joined
Jul 23, 2009
Messages
3
Likes
0
Points
0
#5
Baez,

Thank you for pointing that out. Can you recommend a document that details how to disable unused services and/or lock down the open ports?

Steve
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,912
Messages
130,916
Members
17,589
Latest member
cristian.saiz
Top