web interface missing

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#1
it seems as if one of my systems was compromised today not for the voice but for the mailing feature which I am sure is just as popular, it seems they got in through cyrus-imapd and somehow created a user to belong to mailgroup and were executing pop, I stopped this and totally removed postfix and cyrus-imapd from the system but then I was faced with the challenge that all I had showing now was the welcome screen from apache, I looked in the /var/www/html and a lot was missing, so I did a re-install everything was fine ran a backup, and after I installed aastra xml scrips using the latest script from aastra's site I looked good to go, I left to come back to the customer site to recconect the phones and by the time i got here the apache welcome site was back and I had no way to get into the web interface. I am running Elastix 1.3.

I am about to perform another install but this time install xml by hand, no script, I think the one from the latest is for a later version of elastix and will see from there. If anyone has had a similar issue lets figure it out to make sure it doesn't happen again, and of course I will share with anyone once I know.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
My guess is you were compromised through roundcube you should delete the /var/www/html/mail directory ASAP or the bots out there will just reinfect you (they have your number !! ), also look into rkhunter or similar, to watch for untoward changes on your system.

dicko
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#3
+1 to you again my friend, for my customers not using voicemail to email at all or fax to email, is it extra safe to yum remove postfix, and yum remove cyrus-imapd as well? I am working on the rkhunter (really rtfm first) and going from there. I am mostly concerned that they were able to create a user, do you think that was a roundcube user and they just got in through the standard password to create a new user.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
I have experienced this penetration in the past, but noticing it was from the roundcube client (and apparently as the user asterisk), and having absolutely no need for a webmail client, I took the path of least resistance and I just consigned that piece of code to the trash, probably I should have tracked down the vulnerability, but I'm lazy.

The mail services remain and continue to "call the boss" with the various cron job errors (including rkhunter), and service the fax and vmail notifications without problem. But as a precaution and because I rarely use the SMTP services I move that particular service from 25 to "somewhere completely different"

As to rkhunter, the trick is to, as you say, A ) RTFM (twice), and B ) iterate between rkhunter -c and editing /etc/rkhunter.conf, until there are no errors, the rkhunter.conf is well documented as to how to accept the peculiarities of this particular (Centos) system. I suggest you get and build it from source as the yum available ones seem a little stale.

regards

dicko
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#5
Have you ever heard of peer guardian, I wish there was someway we could tap into those list to have them host.deny and auto update all the time or everyone contribute to a master list and auto update from that as they come in, I am sure it would catch on and yet still just be another layer of security.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#6
You might want to look into the lighter weight configserver's csf firewall ( I think ramoncio posted about this one a few weeks (months) ago), it will largely honor those blacklisted addresses in the many lists out there if configured to so do.

dicko
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#7
+1 again for the CSF suggestion easy to set up and get all green, just curious, I want to double check the ports I need open for a functioning elastix, voicemail2email, fax2email and xml scripts etc. Do I have to leave mDNSResponder running or is that just once the phones are set up I can turn that off, also I learned quick to add the subnet that the ip phones reside on or else no service for them, I am working off of 22(not really changed this port), 80,443,5061tcp,5060(udp both),udp 10000-20000, 1194 udp. I know 69 is for tftp and should most likely be open for any auto provisioning but closed if I dont need it, so any other ports that are important to elastix functionality, a lot of my customers use T-1 for their voice so I dont require some of the sip and Iax2 ports to be open but any others you can think of would be appreciated.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#8
from you machine

netstat -naut

will identify what is open, probably all the tcp ports needs appropriate attention, all the udp below 1024 also (plus the obvious rtp connections) anything else is probably "suspicious"

If you are multi-homed (routing) yet trust your LAN, just have CSF attend to the WAN interface to save you problems. CSF is not ideal for routers there is always Arno's stufffor that.

dicko

p.s. If you are "all green" be careful of putting /tmp in ram, FreePBX will eventually Eff you on backups.
p.p.s. I note your other post, ++rollinsolo.karma for "getting-it" and contributing.
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#9
so I should not have mounted /tmp and symlinked /var/tmp, good to know, is there anything else you normally delete from /var/www/html/ that most do not use and could pose a vulnerability, I do not use Elastix in production for anything but voice, fax, dont use the chat, dont need the webmail, CRM etc.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#10
The basic linux idea is that /tmp is transitory over a reboot, so it rightly belongs in ram, as many "root" exploits will be able to (and IMHO wrongly in Elastix) write to /tmp and if possible put a cron job to run it after the reboot, you get re-hosed over the reboot, unfortunately FreePBX and who knows what else, likes to use /tmp and put shit-loads into it. (they should use somewhere else) so when your ram fills up with the un-removed crap (better housekeeping is needed, but that's another story in another forum) your system will die. The downside is that if you leave it on a permanent file-system, the knuckle-draggers can still own you.

dicko

p.s. unless you need it (and believe me, you don't, any real email client can talk to the Elastix mail server much more securely) delete /var/www/html/mail or you will be embarrassed later (roundcubemail in Elastix is totally compromised)

check that yoou have tightened up http(s)://<you>/admin and http(s)://<you>/recordings against the "well knowns"
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#11
Got it thank you again my man.
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#12
Wow ok I guess I do not got it lol, I might even never use that phrase again in reference to any of this, hahah, anyways CSF is performing strangely when I have it running, on my machine, I could not access the Elastix.org website. When I turn it off I got right on. As well the customer that I put CSF on that was compromised via roundcube and my negligence could not intraoffice dial from one extension to another until I turned off the firewall, I did allow their ip range and subnet in the allowed ip section of csf because I would prefer to leave it running. Any thoughts as to what I am doing wrong.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#13
The basic rules are in these few lines

ETH_DEVICE =
# If you don't want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP =
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Allow incoming TCP ports
TCP_IN =
# Allow outgoing TCP ports
TCP_OUT =
# Allow incoming UDP ports
UDP_IN =

if you are multihomed, just apply it to the WAN interface

your outbound tcp line might look like

20,21,22,25,43,53,80,110,113,443,22
and tcp in

25,53,80,110,143,443,465,587,993,995,22,5038,4559

for example

and your udp lines something like

20,21,53,69,123,113,123,4569,5060:5070,10000:20000

etc.

The log file is at

/etc/csf/stats/iptables_log
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#14
Ever since messing around with CSF for myself I am having quite a few problems of my own, my CPU is now steadily at 50% and normally running idle I am usually less than 1% any Ideas what to check and how to stop the resource hog.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#15
top

to start
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#16
Man a couple of reboots later and all is fine, I would still like to know how to fix that without the reboot sometimes.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#17
you have to diagnose the problem (here quickly with top) or the state of the machine goes away and it becomes harder, look for big files in /var/log and explore them for hung processes, often asterisk/full or messages are the likely culprits.
 

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#18
also after making some changes, now the customer cannot intraoffice dial, I had to perform a re-install with aastra xml scripts too, do you think something broke along the way.
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,886
Members
17,563
Latest member
dineshr
Top