Security issue (PLEASE HELP)

Dante78

Joined
Jan 16, 2010
Messages
7
Likes
0
Points
0
#1
Hello everyone

I have the following situation: on my elastix server i have 2 trunks (one with the phone number and the other one smsdiscount.com who's forwarding unanswered extension calls to a mobile device). The elastix server is totaly firewalled and visible only from a specific IP-s (those 2 trunks and my office internet IP range)

in this weekend (for the 4-th time) my smsdiscount.comn credit was vanished on calls that wasn't made by me:

2011-04-09 13:48:54 +85048922095 00:00:09 € 0.350
2011-04-09 13:47:47 +6776389252 00:00:10 € 0.300
2011-04-09 13:47:26 +6757723073 00:00:17 € 0.380
2011-04-09 13:46:56 +5926568011 00:00:13 € 0.190
2011-04-09 13:45:40 +34601001371 00:00:23 € 0.060
2011-04-09 13:44:39 +261229800216 00:00:16 € 0.220
2011-04-09 13:41:55 +18696655065 00:00:07 € 0.990

The situation gets even odd since on my asterisk logs i have the following verbose on exactlly the same hour and minute (above you have Germany time line, bellow is my country time line on logs which is 1 hour ahead smsdiscount server time)

Apr 9 14:40:01 VERBOSE [3003] logger.c:
-- Remote UNIX connection
Apr 9 14:40:02 VERBOSE [21029] logger.c:
-- Remote UNIX connection disconnected
Apr 9 14:40:22 VERBOSE [21108] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:22] VERBOSE[21108] logger.c: Found
Apr 9 14:40:22 VERBOSE [21108] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:22] VERBOSE[21108] logger.c: Found
Apr 9 14:40:22 VERBOSE [21108] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:22] VERBOSE[21108] logger.c: Found
Apr 9 14:40:22 VERBOSE [21108] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:40:22 VERBOSE [21108] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 14:40:32 VERBOSE [21138] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:32] VERBOSE[21138] logger.c: Found
Apr 9 14:40:32 VERBOSE [21138] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:32] VERBOSE[21138] logger.c: Found
Apr 9 14:40:32 VERBOSE [21138] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:32] VERBOSE[21138] logger.c: Found
Apr 9 14:40:32 VERBOSE [21138] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:40:34 VERBOSE [21138] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 14:40:40 VERBOSE [21156] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:40] VERBOSE[21156] logger.c: Found
Apr 9 14:40:40 VERBOSE [21156] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:40] VERBOSE[21156] logger.c: Found
Apr 9 14:40:40 VERBOSE [21156] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:40] VERBOSE[21156] logger.c: Found
Apr 9 14:40:40 VERBOSE [21156] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:40:41 VERBOSE [21156] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 14:40:44 VERBOSE [21167] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:40:44] VERBOSE[21167] logger.c: Found
Apr 9 14:40:44 VERBOSE [21167] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:40:44] VERBOSE[21167] logger.c: Found
Apr 9 14:40:44 VERBOSE [21167] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:40:44] VERBOSE[21167] logger.c: Found
Apr 9 14:40:44 VERBOSE [21167] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:40:46 VERBOSE [21167] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 14:45:01 VERBOSE [3003] logger.c:
-- Remote UNIX connection
Apr 9 14:45:02 VERBOSE [22021] logger.c:
-- Remote UNIX connection disconnected
Apr 9 14:49:40 VERBOSE [22864] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:49:40] VERBOSE[22864] logger.c: Found
Apr 9 14:49:40 VERBOSE [22864] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:49:40] VERBOSE[22864] logger.c: Found
Apr 9 14:49:40 VERBOSE [22864] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:49:40] VERBOSE[22864] logger.c: Found
Apr 9 14:49:40 VERBOSE [22864] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:49:42 VERBOSE [22864] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 14:50:02 VERBOSE [3003] logger.c:
-- Remote UNIX connection
Apr 9 14:50:02 VERBOSE [22926] logger.c:
-- Remote UNIX connection disconnected
Apr 9 14:50:41 VERBOSE [23124] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:50:41] VERBOSE[23124] logger.c: Found
Apr 9 14:50:41 VERBOSE [23124] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:50:41] VERBOSE[23124] logger.c: Found
Apr 9 14:50:41 VERBOSE [23124] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:50:41] VERBOSE[23124] logger.c: Found
Apr 9 14:50:41 VERBOSE [23124] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:50:42 VERBOSE [23124] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 14:50:47 VERBOSE [23147] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:50:47] VERBOSE[23147] logger.c: Found
Apr 9 14:50:47 VERBOSE [23147] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:50:47] VERBOSE[23147] logger.c: Found
Apr 9 14:50:47 VERBOSE [23147] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:50:47] VERBOSE[23147] logger.c: Found
Apr 9 14:50:47 VERBOSE [23147] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:50:48 VERBOSE [23147] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 14:55:01 VERBOSE [3003] logger.c:
-- Remote UNIX connection
Apr 9 14:55:02 VERBOSE [23961] logger.c:
-- Remote UNIX connection disconnected
Apr 9 14:55:28 VERBOSE [24049] logger.c:
== Parsing '/etc/asterisk/manager.conf': [Apr 9 14:55:28] VERBOSE[24049] logger.c: Found
Apr 9 14:55:28 VERBOSE [24049] logger.c:
== Parsing '/etc/asterisk/manager_additional.conf': [Apr 9 14:55:28] VERBOSE[24049] logger.c: Found
Apr 9 14:55:28 VERBOSE [24049] logger.c:
== Parsing '/etc/asterisk/manager_custom.conf': [Apr 9 14:55:28] VERBOSE[24049] logger.c: Found
Apr 9 14:55:28 VERBOSE [24049] logger.c:
== Manager 'admin' logged on from 127.0.0.1
Apr 9 14:55:28 VERBOSE [24049] logger.c:
== Manager 'admin' logged off from 127.0.0.1
Apr 9 15:00:01 VERBOSE [3003] logger.c:
-- Remote UNIX connection
Apr 9 15:00:02 VERBOSE [24950] logger.c:
-- Remote UNIX connection disconnected
Apr 9 15:05:01 VERBOSE [3003] logger.c:

In the rest of the time i have only logs like this

Apr 9 15:00:02 VERBOSE [24950] logger.c:
-- Remote UNIX connection disconnected
Apr 9 15:05:01 VERBOSE [3003] logger.c:
Apr 9 15:00:02 VERBOSE [24950] logger.c:
-- Remote UNIX connection disconnected
Apr 9 15:05:01 VERBOSE [3003] logger.c:
Apr 9 15:00:02 VERBOSE [24950] logger.c:
-- Remote UNIX connection disconnected
Apr 9 15:05:01 VERBOSE [3003] logger.c:

and so on....

Please help me to understand how the hacker hooked into my system since the server is invisible to internet (i guess all ports) and i changed the smsdiscount.com password everytime i get the occasion?

Thank you very much

Ionut C
 

jgutierrez

Joined
Feb 28, 2008
Messages
5,737
Likes
0
Points
0
#2
I dont see any issue at all.. Attach the CDR report information according to time/date of unauthorized calls
 

Dante78

Joined
Jan 16, 2010
Messages
7
Likes
0
Points
0
#3
Hello

The CDR report is blank in that day. No calls made. I have firewalled also port 5038 mentioned in manager.conf and changed the default elasix456 password. Could it be this the reason for my hacking? Does the hacker used the port 5038 and default elasix password to gain acces on my trunk smsdiscount.com?

What other ports can i block?

Cheers
 

Dante78

Joined
Jan 16, 2010
Messages
7
Likes
0
Points
0
#4
Hello

I found the problem. on ip/admin i left de default password for asterisk user whicth is eLaStIx.asteriskuser.2oo7 that was the big mistake... who made the setup of the server didn't change the password of asteriskuser user. they ysed the default password to enter into my system

i tried to change the password on /etc/amportal.conf but i have to change the password also into mysql of that user and i don't know how to do it

please help
 

jgutierrez

Joined
Feb 28, 2008
Messages
5,737
Likes
0
Points
0
#5

souxinh

Joined
Apr 6, 2010
Messages
36
Likes
0
Points
0
#6
Hi all,

I just find this post about vulnerability in Elastix. for (1.6 and lower) Fixed in 2.0

http://sysadminman.net/blog/
and
http://secunia.com/advisories/41330/

If you’re still using Elastix 1.5 or 1.6 (or earlier) then it is critically important that you ensure you are not open to this vulnerability.
This allows anyone to download a list of extensions and secrets from your Elastix server, no password required! They can then use this information to place expensive calls through your server.
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,898
Messages
130,879
Members
17,560
Latest member
manuelc
Top