[asterisk-bugs] [Asterisk 0014750]: Asterisk allowed access by anonymous SIP user

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Mar 26 15:01:59 CDT 2009 

The following issue has been CLOSED 
====================================================================== 
http://bugs.digium.com/view.php?id=14750 
====================================================================== 
Reported By:                trendboy
Assigned To:                tilghman
====================================================================== 
Project:                    Asterisk
Issue ID:                   14750
Category:                   Channels/chan_sip/General
Reproducibility:            have not tried
Severity:                   block
Priority:                   normal
Status:                     closed
Asterisk Version:           1.6.0.6 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
Resolution:                 no change required
Fixed in Version:           
====================================================================== 
Date Submitted:             2009-03-25 10:09 CDT
Last Modified:              2009-03-26 15:01 CDT
====================================================================== 
Summary:                    Asterisk allowed access by anonymous SIP user
Description: 
I am not sure how to go about investigating this and I hope it is
appropriate for bug reports but last night my system was hacked yet I
thought I had a very hard system.

I have a feeling it was because I submitted a bug that got fixed but in
the process gave my system config settings namely iax.conf which showed the
string I used in my extensions.ael to dial out.

Somebody managed to log in without a username and password from what I can
make out and place calls on the iax channel. Thankfully I had no credit
with my voip out provider so it didn't cost me money. But in the meantime I
have had to completely lock down my system to only accept connections from
my home ip as set by my firewall.

Please let me know what details you will need from me and I will gladly
provide them however I will need to be very careful about posting settings.
I've renamed everything with SHA1 passwords and using Irish language names
for channels etc to make it extremely hard to guess.

My guess is that somebody managed to gain access with sip and then sent
hundreds of calls through the out channel through some kind of dialer
script to numbers in Eastern Europe. I have of course reported this to the
ISP of the offending IP but of course that must have been a hopping station
only so hopefully they will search their logs and hopefully trace it back
to the source.

Here are two lines from the CDR:

2009-03-24 16:47:14	"asterisk"
<asterisk>	asterisk	0037322483581	default	SIP/66.199.242.101-09da9128	IAX2/out-1497	Dial	iax2/out/0037322483581	8	6	ANSWERED	3	
	 	1237913234.1077

2009-03-24 16:47:15	"Unknown"
<Unknown>	Unknown	00380449536745	default	SIP/66.199.242.101-09da5230	IAX2/out-516	Dial	iax2/out/00380449536745	8	7	ANSWERED	3	
1237913235.1081

It is amazing that anybody was able to get through with UNKNOWN as the
clid and src field.

A "much changed" snippit from sip.conf

[general]
externip=<my ip>
srvlookup=yes
port=5060
bindaddr=<my ip>
allow=g729
language=uk
canreinvite=no


Then my settings for sip which I really want to leave out unless I really
have to add them.

If this is a bug then it means everybody with an asterisk 1.6.0.6 is in
big trouble!!! :( setting up a firewall to only let specified hosts connect
is not a  long term solution at all as you can imagine.

Thanks a mill in advace!! and please let me know if you need anything to
help work through this.

I can't try it in a later rc version as I have no idea how this person
managed to hack in the first place :(
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-03-26 15:01 tilghman       Status                   assigned => closed  
2009-03-26 15:01 tilghman       Resolution               open => no change
required
2009-03-26 15:01 tilghman       View Status              private => public   
2009-03-26 15:01 tilghman       Summary                  Asterisk 1.6.0.6 hacked
by anonymous SIP user => Asterisk allowed access by anonymous SIP user
======================================================================

More information about the asterisk-bugs mailing list