[asterisk-biz] PBX got Hacked

Jeremy intrusiondetection at gmail.com
Sat Feb 7 19:30:42 CST 2009 

Were the passwords on any extensions common dictionary words or otherwise
easily brute forced?

On Sat, Feb 7, 2009 at 8:23 PM, VIP Carrier <vipcarrier at gmail.com> wrote:

> The system was secure they had only open few ports on they firewall
> 443, 5060-5061 and 16384-32767 for RTP traffic,
>
> and users extensions did not match passwords at and SwitchVOX came in as a
> Appliance so there was no installation done by any one at they company
> everything came in directly from Digium.
>
> We have attempted contacting server pronto on what they technical support
> just said email to abuse and they will look in to the problem and refused
> talking to us.
>
>
> On Sat, Feb 7, 2009 at 7:31 PM, Gregory Boehnlein <damin at nacs.net> wrote:
>
>>  I made a comment about this at Astridevcon. We have seen an increase in
>> Automated Brute Force hacking attempts against publically accessible VoIP
>> systems. Basically, the hackers use an automated tool to hack into a VoIP
>> system w/ insecure passwords (ala extension 100 w/ a password of 100). Once
>> they gain access, they use it to either:
>>
>>
>>
>> a.       Send a bunch of calls to places like Cuba, were costs can be
>> $.30 / minute.
>>
>> b.      Have an auto-dialer blast out calls for credit-card scamming.
>>
>>
>>
>> There was an FBI announcement not too long ago about a "Vishing" scam that
>> was targeting Asterisk PBX systems:
>>
>> http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/
>>
>>
>>
>> At this point, if you have your VoIP system attached to the public
>> Internet, and are not taking security precautions such as using strong
>> passwords and judicious firewalling, it is only a matter of time until you
>> get hacked.
>>
>>
>>
>> *From:* asterisk-biz-bounces at lists.digium.com [mailto:
>> asterisk-biz-bounces at lists.digium.com] *On Behalf Of *Jai Rangi
>> *Sent:* Saturday, February 07, 2009 6:57 PM
>> *To:* Commercial and Business-Oriented Asterisk Discussion
>> *Subject:* Re: [asterisk-biz] PBX got Hacked
>>
>>
>>
>> $2000 calls in one hours? The fraud user must be a professional hacker and
>> should have some kind of VoIP system and 10s (if not hundreds) of friends
>> calling at the same time.
>>
>>  On Sat, Feb 7, 2009 at 3:46 PM, Gregory Boehnlein <damin at nacs.net>
>> wrote:
>>
>> Let me guess…
>>
>>
>>
>> 1.       The Switchvox was open to the Internet
>>
>> 2.       The extensions were simple (three / four digits) and the
>> passwords matched the extensions
>>
>> 3.       The attacker was able to register from the public Internet as
>> one of the users and send the calls.
>>
>>
>>
>> Sounds much more like an installation done by someone who had no clue
>> about IP security. Don't blame Switchvox for the installers lack of a clue..
>> Switchvox is designed to run behind a firewall, and best practices for
>> installation would dictate that you be very paranoid about what to allow to
>> communicate w/ the PBX. Allowing it to be openly accessed on the Public
>> Internet is shear stupidity.
>>
>>
>>
>> So.. what am I missing here?
>>
>>
>>
>> *From:* asterisk-biz-bounces at lists.digium.com [mailto:
>> asterisk-biz-bounces at lists.digium.com] *On Behalf Of *VIP Carrier
>> *Sent:* Saturday, February 07, 2009 6:36 PM
>> *To:* Commercial and Business-Oriented Asterisk Discussion
>> *Subject:* [asterisk-biz] PBX got Hacked
>>
>>
>>
>> Guys,
>> I can't belive that our client's PBX got hacked today.
>> My client has a SwitchVOX SMB and it got hacked!
>> some F at ckers with a following IP's
>> 91.121.132.208
>> 69.60.114.222
>> was able to send a calls in a matter of 1 hr for more then $2000
>>
>> what can I say stay a way from switchvox
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by *N2Net Mailshield*<http://www.n2net.net/Products.asp?PageId=1&SubId=14>
>> *, and is
>> believed to be clean. ***
>>
>> *
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-biz*
>>
>> *
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by N2Net Mailshield<http://www.n2net.net/Products.asp?PageId=1&SubId=14>,
>> and is
>> believed to be clean. *
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20090207/3a74c616/attachment.htm

More information about the asterisk-biz mailing list