[asterisk-biz] PBX got Hacked

[Trixter aka Bret McDanel]

On Thu, 2009-02-12 at 17:08 -0500, Jared Geiger wrote:
> I saw multiple attacks from OVH.NET IP addresses over the last few
> weeks as well. I have used a few of the tips in this article to secure
> PBXs before as well http://nerdvittles.com/?p=580
> (fail2ban/IPTables). 
> 
> For switchvox the root account seems to have a key, not a password to
> login. You can always boot in single user mode, create a new user and
> add that user to the sudoers file then disable root from being able to
> login via ssh.conf.
> 
First let me say I have never used switchvox, but if its linux based
then the following should apply.

can you not just get a shell?  If you can you shouldnt have to boot into
single user mode unless they are doing chattr stuff to only allow
editing of the password file on a secure runlevel, and this is rare that
its done. 

/etc/passwd, /etc/shadow, /etc/group, /etc/sudoers are all just text
files and its easy to append a line for new users to those files, just
as its easy to use the useradd/adduser programs to add users.  sshd.conf
is also a text file which requires sshd to restart to take effect but
this usually does not drop connections already in process.  This can be
as simple as /etc/init.d/sshd restart  or something similar.


> You should be able to then setup IPTables on Switchvox as well after
> going in and creating the second account.
> 

the problem is that you would need it to know to use sudo if it doesnt,
I do not know if its smart enough to say "you arent root so let me sudo
this command".  


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090212/d494d5b3/attachment.pgp