VoIP Hijack

Discussion in 'General' started by awoof, Nov 11, 2008.

  1. awoof

    Jun 30, 2008
    Likes Received:
    I became a victim of VoIP hijack by unscrupulous humans that used my trunks to generate calls to certain area codes in the USA (313). I thought I should share this with the community. So as you are deploying your VoIP platform you need to take all the necessary measures in ensuring that your servers are secured. I am using Elastix version 1.3 in a productive environment. Fortunately for me, I got a call from a gentle man that is already aware of the vulnerability that VoIP platforms have to tell me that my platform or server has been hijacked and I should stop asking people of credit cards numbers. Hmmmmm innocent that I was made me stunned. I started arguing with him that it couldn't have been my servers, so I was curious to know how in God's name can someone hijack my trunks to lunch calls to several hundreds of people within certain period. I decided to investigate.

    # sip show peers .....found that my extensions were hijacked bearing an external IP address that could be a camouflaged. Tracing it will be waste of time. Note that your extensions should always bear your local address. example 192.168.XXX.XXX or 10.XX.XX.XX blablabla.

    Steps I took:

    I immediately disabled the trunk....with that you could see the calls been lunched in the CLI and your server will return all circuits are busy now.

    Then I reconfigured my router allowing what was needed to allow media and signalling go through.
    Ports: 5060-5061 and 10001-20000 all UDP

    At this time amportal restart will not help.

    The best option is to reboot your your router and wait for your extensions to re-register and you are good.

    you could always tail -f /var/log/asterisk/full to see all activity going through your server.

    You can now enable your trunk to resume your activities. It is advisable to have a different SIP carrier to handle your incoming calls and use other trunks for your outgoing just in case you get hijacked.
    With this you can always receive incoming and troubleshoot the hijacked problem. Any additional advice on how we can put our servers on steroids is appreciated please contribute what you know.....

Share This Page