Were the passwords on any extensions common dictionary words or otherwise easily brute forced?<br><br><div class="gmail_quote">On Sat, Feb 7, 2009 at 8:23 PM, VIP Carrier <span dir="ltr"><<a href="mailto:vipcarrier@gmail.com">vipcarrier@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">The system was secure they had only open few ports on they firewall<br>443, 5060-5061 and 16384-32767
for RTP traffic,<br><br>and users extensions did not match passwords at and SwitchVOX came in as a Appliance so there was no installation done by any one at they company everything came in directly from Digium. <br><br>We have attempted contacting server pronto on what they technical support just said email to abuse and they will look in to the problem and refused talking to us. <br>
<div><div></div><div class="Wj3C7c">
<br><br><div class="gmail_quote">On Sat, Feb 7, 2009 at 7:31 PM, Gregory Boehnlein <span dir="ltr"><<a href="mailto:damin@nacs.net" target="_blank">damin@nacs.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I made a comment about this at Astridevcon. We have seen an
increase in Automated Brute Force hacking attempts against publically
accessible VoIP systems. Basically, the hackers use an automated tool to hack
into a VoIP system w/ insecure passwords (ala extension 100 w/ a password of
100). Once they gain access, they use it to either:</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p style="text-indent: -0.25in;"><span style="font-size: 11pt; color: rgb(31, 73, 125);"><span>a.<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><span style="font-size: 11pt; color: rgb(31, 73, 125);">Send a bunch of calls to places like Cuba, were costs can be $.30
/ minute.</span></p>
<p style="text-indent: -0.25in;"><span style="font-size: 11pt; color: rgb(31, 73, 125);"><span>b.<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><span style="font-size: 11pt; color: rgb(31, 73, 125);">Have an auto-dialer blast out calls for credit-card scamming.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">There was an FBI announcement not too long ago about a "Vishing"
scam that was targeting Asterisk PBX systems:</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"><a href="http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/" target="_blank">http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/</a></span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">At this point, if you have your VoIP system attached to the
public Internet, and are not taking security precautions such as using strong
passwords and judicious firewalling, it is only a matter of time until you get
hacked.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;">
<a href="mailto:asterisk-biz-bounces@lists.digium.com" target="_blank">asterisk-biz-bounces@lists.digium.com</a>
[mailto:<a href="mailto:asterisk-biz-bounces@lists.digium.com" target="_blank">asterisk-biz-bounces@lists.digium.com</a>] <b>On Behalf Of </b>Jai Rangi<br>
<b>Sent:</b> Saturday, February 07, 2009 6:57 PM<div><br>
<b>To:</b> Commercial and Business-Oriented Asterisk Discussion<br>
</div><b>Subject:</b> Re: [asterisk-biz] PBX got Hacked</span></p>
</div>
</div><div><div></div><div>
<p> </p>
<p style="margin-bottom: 12pt;">$2000 calls in one hours? The
fraud user must be a professional hacker and should have some kind of VoIP
system and 10s (if not hundreds) of friends calling at the same time. <br>
<br>
</p>
<div>
<p>On Sat, Feb 7, 2009 at 3:46 PM, Gregory Boehnlein <<a href="mailto:damin@nacs.net" target="_blank">damin@nacs.net</a>> wrote:</p>
<div>
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Let me guess…</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p style="text-indent: -0.25in;"><span style="font-size: 11pt; color: rgb(31, 73, 125);">1.</span><span style="font-size: 7pt; color: rgb(31, 73, 125);"> </span><span style="font-size: 11pt; color: rgb(31, 73, 125);">The Switchvox was open to the Internet</span></p>
<p style="text-indent: -0.25in;"><span style="font-size: 11pt; color: rgb(31, 73, 125);">2.</span><span style="font-size: 7pt; color: rgb(31, 73, 125);"> </span><span style="font-size: 11pt; color: rgb(31, 73, 125);">The extensions were simple (three / four
digits) and the passwords matched the extensions</span></p>
<p style="text-indent: -0.25in;"><span style="font-size: 11pt; color: rgb(31, 73, 125);">3.</span><span style="font-size: 7pt; color: rgb(31, 73, 125);"> </span><span style="font-size: 11pt; color: rgb(31, 73, 125);">The attacker was able to register from
the public Internet as one of the users and send the calls.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Sounds much more like an
installation done by someone who had no clue about IP security. Don't blame
Switchvox for the installers lack of a clue.. Switchvox is designed to run
behind a firewall, and best practices for installation would dictate that you
be very paranoid about what to allow to communicate w/ the PBX. Allowing it to
be openly accessed on the Public Internet is shear stupidity.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">So.. what am I missing here?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:asterisk-biz-bounces@lists.digium.com" target="_blank">asterisk-biz-bounces@lists.digium.com</a>
[mailto:<a href="mailto:asterisk-biz-bounces@lists.digium.com" target="_blank">asterisk-biz-bounces@lists.digium.com</a>]
<b>On Behalf Of </b>VIP Carrier<br>
<b>Sent:</b> Saturday, February 07, 2009 6:36 PM<br>
<b>To:</b> Commercial and Business-Oriented Asterisk Discussion<br>
<b>Subject:</b> [asterisk-biz] PBX got Hacked</span></p>
</div>
</div>
<p> </p>
<div>
<div>
<p style="margin-bottom: 12pt;">Guys,<br>
I can't belive that our client's PBX got hacked today.<br>
My client has a SwitchVOX SMB and it got hacked!<br>
some F@ckers with a following IP's <br>
91.121.132.208<br>
69.60.114.222<br>
was able to send a calls in a matter of 1 hr for more then $2000<br>
<br>
what can I say stay a way from switchvox </p>
</div>
</div>
<p><span style="color: rgb(136, 136, 136);">-- <br>
This message has been scanned for viruses and <br>
dangerous content by <a href="http://www.n2net.net/Products.asp?PageId=1&SubId=14" target="_blank"><b>N2Net
Mailshield</b></a><b>, and is <br>
believed to be clean. </b></span><b></b></p>
</div>
</div>
</div>
<p><b><br>
_______________________________________________<br>
--Bandwidth and Colocation Provided by <a href="http://www.api-digital.com--" target="_blank">http://www.api-digital.com--</a><br>
<br>
asterisk-biz mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-biz" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-biz</a></b></p>
</div>
<p><b><br>
<br>
-- <br>
This message has been scanned for viruses and <br>
dangerous content by <a href="http://www.n2net.net/Products.asp?PageId=1&SubId=14" target="_blank">N2Net Mailshield</a>,
and is <br>
believed to be clean. </b></p>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
--Bandwidth and Colocation Provided by <a href="http://www.api-digital.com--" target="_blank">http://www.api-digital.com--</a><br>
<br>
asterisk-biz mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-biz" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-biz</a><br></blockquote></div><br>
</div></div><br>_______________________________________________<br>
--Bandwidth and Colocation Provided by <a href="http://www.api-digital.com--" target="_blank">http://www.api-digital.com--</a><br>
<br>
asterisk-biz mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-biz" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-biz</a><br></blockquote></div><br>