Security issue (PLEASE HELP)

Discussion in 'General' started by Dante78, Apr 11, 2011.

  1. Dante78

    Joined:
    Jan 16, 2010
    Messages:
    7
    Likes Received:
    0
    Hello everyone

    I have the following situation: on my elastix server i have 2 trunks (one with the phone number and the other one smsdiscount.com who's forwarding unanswered extension calls to a mobile device). The elastix server is totaly firewalled and visible only from a specific IP-s (those 2 trunks and my office internet IP range)

    in this weekend (for the 4-th time) my smsdiscount.comn credit was vanished on calls that wasn't made by me:

    2011-04-09 13:48:54 +85048922095 00:00:09 € 0.350
    2011-04-09 13:47:47 +6776389252 00:00:10 € 0.300
    2011-04-09 13:47:26 +6757723073 00:00:17 € 0.380
    2011-04-09 13:46:56 +5926568011 00:00:13 € 0.190
    2011-04-09 13:45:40 +34601001371 00:00:23 € 0.060
    2011-04-09 13:44:39 +261229800216 00:00:16 € 0.220
    2011-04-09 13:41:55 +18696655065 00:00:07 € 0.990

    The situation gets even odd since on my asterisk logs i have the following verbose on exactlly the same hour and minute (above you have Germany time line, bellow is my country time line on logs which is 1 hour ahead smsdiscount server time)

    Apr 9 14:40:01 VERBOSE [3003] logger.c:
    -- Remote UNIX connection
    Apr 9 14:40:02 VERBOSE [21029] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 14:40:22 VERBOSE [21108] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:22] VERBOSE[21108] logger.c: Found
    Apr 9 14:40:22 VERBOSE [21108] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:22] VERBOSE[21108] logger.c: Found
    Apr 9 14:40:22 VERBOSE [21108] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:22] VERBOSE[21108] logger.c: Found
    Apr 9 14:40:22 VERBOSE [21108] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:40:22 VERBOSE [21108] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 14:40:32 VERBOSE [21138] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:32] VERBOSE[21138] logger.c: Found
    Apr 9 14:40:32 VERBOSE [21138] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:32] VERBOSE[21138] logger.c: Found
    Apr 9 14:40:32 VERBOSE [21138] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:32] VERBOSE[21138] logger.c: Found
    Apr 9 14:40:32 VERBOSE [21138] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:40:34 VERBOSE [21138] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 14:40:40 VERBOSE [21156] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:40] VERBOSE[21156] logger.c: Found
    Apr 9 14:40:40 VERBOSE [21156] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:40] VERBOSE[21156] logger.c: Found
    Apr 9 14:40:40 VERBOSE [21156] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:40] VERBOSE[21156] logger.c: Found
    Apr 9 14:40:40 VERBOSE [21156] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:40:41 VERBOSE [21156] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 14:40:44 VERBOSE [21167] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:44] VERBOSE[21167] logger.c: Found
    Apr 9 14:40:44 VERBOSE [21167] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:44] VERBOSE[21167] logger.c: Found
    Apr 9 14:40:44 VERBOSE [21167] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:44] VERBOSE[21167] logger.c: Found
    Apr 9 14:40:44 VERBOSE [21167] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:40:46 VERBOSE [21167] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 14:45:01 VERBOSE [3003] logger.c:
    -- Remote UNIX connection
    Apr 9 14:45:02 VERBOSE [22021] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 14:49:40 VERBOSE [22864] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:49:40] VERBOSE[22864] logger.c: Found
    Apr 9 14:49:40 VERBOSE [22864] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:49:40] VERBOSE[22864] logger.c: Found
    Apr 9 14:49:40 VERBOSE [22864] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:49:40] VERBOSE[22864] logger.c: Found
    Apr 9 14:49:40 VERBOSE [22864] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:49:42 VERBOSE [22864] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 14:50:02 VERBOSE [3003] logger.c:
    -- Remote UNIX connection
    Apr 9 14:50:02 VERBOSE [22926] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 14:50:41 VERBOSE [23124] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:50:41] VERBOSE[23124] logger.c: Found
    Apr 9 14:50:41 VERBOSE [23124] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:50:41] VERBOSE[23124] logger.c: Found
    Apr 9 14:50:41 VERBOSE [23124] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:50:41] VERBOSE[23124] logger.c: Found
    Apr 9 14:50:41 VERBOSE [23124] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:50:42 VERBOSE [23124] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 14:50:47 VERBOSE [23147] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:50:47] VERBOSE[23147] logger.c: Found
    Apr 9 14:50:47 VERBOSE [23147] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:50:47] VERBOSE[23147] logger.c: Found
    Apr 9 14:50:47 VERBOSE [23147] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:50:47] VERBOSE[23147] logger.c: Found
    Apr 9 14:50:47 VERBOSE [23147] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:50:48 VERBOSE [23147] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 14:55:01 VERBOSE [3003] logger.c:
    -- Remote UNIX connection
    Apr 9 14:55:02 VERBOSE [23961] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 14:55:28 VERBOSE [24049] logger.c:
    == Parsing '/etc/asterisk/manager.conf': [Apr 9 14:55:28] VERBOSE[24049] logger.c: Found
    Apr 9 14:55:28 VERBOSE [24049] logger.c:
    == Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:55:28] VERBOSE[24049] logger.c: Found
    Apr 9 14:55:28 VERBOSE [24049] logger.c:
    == Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:55:28] VERBOSE[24049] logger.c: Found
    Apr 9 14:55:28 VERBOSE [24049] logger.c:
    == Manager 'admin' logged on from 127.0.0.1
    Apr 9 14:55:28 VERBOSE [24049] logger.c:
    == Manager 'admin' logged off from 127.0.0.1
    Apr 9 15:00:01 VERBOSE [3003] logger.c:
    -- Remote UNIX connection
    Apr 9 15:00:02 VERBOSE [24950] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 15:05:01 VERBOSE [3003] logger.c:

    In the rest of the time i have only logs like this

    Apr 9 15:00:02 VERBOSE [24950] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 15:05:01 VERBOSE [3003] logger.c:
    Apr 9 15:00:02 VERBOSE [24950] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 15:05:01 VERBOSE [3003] logger.c:
    Apr 9 15:00:02 VERBOSE [24950] logger.c:
    -- Remote UNIX connection disconnected
    Apr 9 15:05:01 VERBOSE [3003] logger.c:

    and so on....

    Please help me to understand how the hacker hooked into my system since the server is invisible to internet (i guess all ports) and i changed the smsdiscount.com password everytime i get the occasion?

    Thank you very much

    Ionut C
     
  2. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
    I dont see any issue at all.. Attach the CDR report information according to time/date of unauthorized calls
     
  3. Dante78

    Joined:
    Jan 16, 2010
    Messages:
    7
    Likes Received:
    0
    Hello

    The CDR report is blank in that day. No calls made. I have firewalled also port 5038 mentioned in manager.conf and changed the default elasix456 password. Could it be this the reason for my hacking? Does the hacker used the port 5038 and default elasix password to gain acces on my trunk smsdiscount.com?

    What other ports can i block?

    Cheers
     
  4. Dante78

    Joined:
    Jan 16, 2010
    Messages:
    7
    Likes Received:
    0
    Hello

    I found the problem. on ip/admin i left de default password for asterisk user whicth is eLaStIx.asteriskuser.2oo7 that was the big mistake... who made the setup of the server didn't change the password of asteriskuser user. they ysed the default password to enter into my system

    i tried to change the password on /etc/amportal.conf but i have to change the password also into mysql of that user and i don't know how to do it

    please help
     
  5. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
  6. souxinh

    Joined:
    Apr 6, 2010
    Messages:
    36
    Likes Received:
    0
    Hi all,

    I just find this post about vulnerability in Elastix. for (1.6 and lower) Fixed in 2.0

    http://sysadminman.net/blog/
    and
    http://secunia.com/advisories/41330/

    If you’re still using Elastix 1.5 or 1.6 (or earlier) then it is critically important that you ensure you are not open to this vulnerability.
    This allows anyone to download a list of extensions and secrets from your Elastix server, no password required! They can then use this information to place expensive calls through your server.
     

Share This Page