got hacked today

Discussion in 'General' started by scristopher, Sep 16, 2009.

  1. scristopher

    Joined:
    Jul 30, 2009
    Messages:
    25
    Likes Received:
    0
    Not sure how it happened but i think it started around noon today, i called home to check my voicemails and got a message asking for banking info. debit card numbers etc. i paniced to say the least, logged into asterisk and saw an extension registering which i had not configured. killed the extension and requests kept coming in started tracking down the ip from there i got caught up in talking to the isp that owned it, they wouldnt do anything about it for me and i emailed the abuse department with the info and included the debug in the email. not sure what happened at this point just going
    over the logs i can see noone has actually logged in to the server other than myself, in either ssh or the web gui. not sure where else to look if someone could help me out i would greatly appreciate it. i have done an update through yum since and have changed all passwords i would like to ensure that this doesnt happen again srsly....


    also the phone didnt even ring it just went to that auto attendant asking for banking info
    not what i had set up for sure
     
  2. donhwyo

    Joined:
    Aug 8, 2008
    Messages:
    293
    Likes Received:
    0
    I would look at your sip service providers logs and see if you are using huge amounts of calls now. They may have gotten your account details and set them up on there servers. Might as well change these passwords too if you didn't already.

    Just out of curiosity what security setting do you have in place? How long did it take for your machine to be compromised? Any other details.

    Good luck,
    Don
     
  3. scristopher

    Joined:
    Jul 30, 2009
    Messages:
    25
    Likes Received:
    0
    i work for my service provider we use ip access lists to use our trunks, there has been no huge amount of calls. Ive had this system running for at least 3 months before I was using trixbox then I made the switch about 3 months ago. I'm not sure by what security settings your asking about, I rely on iptables mostly just installed fail2ban.


    ---also apparently this is linked to some other scam going on, where whoever is running this is sending mass text messages out to cell phones telling people that their debit card has been canceled and to call my number to reactivate it. i talked to a woman who called here about it and she says she has received two of these messages and the other one had a califonia number to call.
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Been there, done that. it sucks!

    What version of asterisk are you running?

    do you allow anonymous sip connections?

    do you have strong passwords?

    do you have

    alwaysauthreject=yes

    in one of your sip*.conf files?

    These SMS's refer to one of your numbers?
     
  5. scristopher

    Joined:
    Jul 30, 2009
    Messages:
    25
    Likes Received:
    0
    Asterisk 1.4.26.1

    Allow Anonymous Inbound SIP Calls? is set to yes but if i turn it to no phones will not ring?

    i do have six digit passwords

    not sure about the alwaysauthreject=yes i will have to check that

    i can confirm with the amount of calls coming in that these sms messages to these people have my number referenced as the number to call to reactivate their debit or credit cards
    also was going on yesterday using a california number according to people that received two messages two days in a row
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    1.4.26.1 + alwaysauthreject=yes = "a good thing (albeit strictly SIP non compliant)"

    use UC/LC letters to your secrets, 10^6 is a lot less than 36^6

    Allow anonymous only useful for SIP peer to peer connections (ENUM etc., your "registered" inbound trunks are not anonymous) but comes with great risk, either way you should have a catchall that "hangs up" calls to unknown destinations for added protection. (real DID's of course get through, but apparently you have been compromised, both locally and globally, the global thing REALLY sucks)

    look into allow/deny <IP NETWORK> in your SIP.conf files (be careful for any external dhcp registrations, (cable/dsl))

    (Don't forget to configure fail2ban to email you or you loose some of it's immediacy, it also informs you of local "operator error/stumble fingers" for legit extensions.)
     
  7. donhwyo

    Joined:
    Aug 8, 2008
    Messages:
    293
    Likes Received:
    0
    This sounds wrong to me. Do you know the ip of the host computers and have them set in your trunks? Any ideas Dicko?

    Don
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    start with(from bash):
    rasterisk -x 'sip show peers'|awk '{print $2,"-", $1}'|grep '\.'|sort -n|less

    perhaps

    rasterisk -x 'sip show peers'|awk '{print $2}'|grep '\.'|sort |uniq

    for just a list of ip's the knuckle draggers should stand out.
     
  9. scristopher

    Joined:
    Jul 30, 2009
    Messages:
    25
    Likes Received:
    0
    the ips are dynamic for my phones and are all on seperate isp's, pbx is colocated
     
  10. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    The original content of your previous post identified an apparent Windows machine. there is a https server running on that machine that offers a certificate issued by godaddy thusly:

    The certificate is only valid for the following names:


    mail.hc1st.com and www.mail.hc1st.com

    I suggest that you ask your ISP to add them to their deny list.


    HealthcareFirst would probably be much more responsive to your complaints, given the current HIPPA legislation, in fact, given that their network is "rogue", or at least that their SSL certificate is "in the wild" and published on a compromised host (x.x.x.167) apparently their mailserver, they SHOULD rightly have a shit fit.

    I suggest that you document it all and send it to them.
     
  11. scristopher

    Joined:
    Jul 30, 2009
    Messages:
    25
    Likes Received:
    0
    dicko

    not sure what you mean about the content of my previous post...
    would you mean the content i posted and deleted because i realized that i was giving the wrong info for the question asked? sorry im just not sure... this is the content that i originally posted--(ips and phone numbers omitted except for the guilty ones)

    [Sep 15 14:37:55] VERBOSE[2776] logger.c:
    <--- SIP read from 65.51.167.167:5060 ---> <--this guy
    SIP/2.0 200 OK

    Via: SIP/2.0/UDP 12.34.56.78:5060;branch=z9hG4bK78e56e18;rport

    To: <sip:300@192.168.30.102:5060>

    From: "Unknown" <sip:Unknown@12.34.56.78>;tag=as3915049f

    Call-ID: 3794c55028a3167c76c145cb1abf6cb0@12.34.56.78

    CSeq: 102 OPTIONS

    User-Agent: NCH Swift Sound IVM Answering Attendant 4.02

    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY

    Accept: application/sdp

    Supported: replaces

    Content-Type: application/sdp

    Content-Length: 337
     
  12. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
  13. tecnoclic

    Joined:
    Jun 12, 2009
    Messages:
    29
    Likes Received:
    0
    Hi to all.
    I have another solution, for newbies as me:
    1-Activate the router firewall
    2-Install openvpn
    3-Configure openvpn to allows only your lan's ip
    4-Configure your sshd to allow only your lan's ip
    5-Change your root password (avoid short ones) frecuently using UC/LC as dicko said.

    By the way, I have a cuestion:
    I have a Elastix server and a VPN server. How anybody could know my fixed (static) ip address? I never published it (of course) on any web page, mail or similar.. Perhaps, the server has a broadcast service to publish its public ip???
    I say it, 'cause suddenly someone has tried (almost 800 times) to loggin to my vpn server using, I think, some robot + dictionary.
     
  14. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    no, it's more casual than that, they just write a script that try's to connect on the port of interest, perhaps TCP/22 or UDP/5060 or UDP/1194 for OpenVPN,(change that default maybe?) and scan the network. VPN or otherwise, protect your services, changing the ssh port from 22 and disallowing rootlogin (or deny password login at all and install keys) will dramatically reduce the "drive-by's" that perhaps you noticed, setting up fail2ban or ossec will dynamically deny noticed unacceptable behavior automatically, but you have to tune both to your particular needs.

    nmap -v <your-network-address>/<your-subnet-mask>

    from the outside will quickly scan your network for open ports, if I hit is gotten, then the scrutiny is likely to become more intense.
     
  15. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    In my case I'm even blocking password login, only certificate authentication.

    (to see how, read there chapter 7 http://wiki.centos.org/HowTos/Network/SecuringSSH)
     
  16. samv

    Joined:
    Jan 22, 2010
    Messages:
    54
    Likes Received:
    0
    Hi Everyone,

    I am using shorewall. Why your guy don't use shorewall. It very easy to setup easy to understand. How you want to protect your system you can make it easy. I also used hosts control to control the IP that I only allow to connect to my system. I also changed default port 443 to 10000. And used port 443 for my Openvpn. I even allow only the IP I want to brows my first page. In asterisk I also create one fake context for International call. When hacker try to make International call from my system. It will fall to fake context. Then the call will end without go anywhere.

    Thanks,

    Sam
     
  17. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I'm glad it works for you,

    Please use anything that works, it is a network thing not an Elastix thing.

    (It's your personal solution for ip-tables nothing else thank you for sharing but maybe not for everyone ip-tables works fine without it)
     

Share This Page