[asterisk-users] SIP Asterisk Hacked (1.6.0.6)
David Anthony O Reilly
oreillda at tcd.ie
Wed Mar 25 09:40:24 CDT 2009
Hi all
I have been hacked but no idea how!!! I noticed somebody in Eastern Europe
came from an American IP and tried to call loads of international numbers.
Thankfully I had no credit with my VOIP out provider so the calls went
nowhere. But if I had credit it would all have been used up.
I noticed hundreds of calls being made from clid and src being either
UNKNOWN or as ASTERISK.
Here are a sample:
2009-03-24 16:47:14 "asterisk" <asterisk> asterisk 0037322483581 default
SIP/66.199.242.101-09da9128 IAX2/out-1497 Dial iax2/out/0037322483581 8 6
ANSWERED 3 1237913234.1077
2009-03-24 16:47:15 "Unknown" <Unknown> Unknown 00380449536745 default
SIP/66.199.242.101-09da5230 IAX2/out-516 Dial iax2/out/00380449536745 8 7
ANSWERED 3 1237913235.1081
I've reported it to the authorities and they are doing a backtrace to find
the hacker, and in the meantime I have set my firewall that ONLY SIP
requests from my own IP address can connect so my home phones can connect.
My config is ALL NORMAL - I am careful about putting it up here in case
somebody else tries a fast one on me, but what I can tell you is that my
passwords are all SHA1 substrings and there is no way in hell somebody could
guess them. My box was not compromised either, as I went through my message
logs, my ISP also has a server firewall rule set up so that one false
password and the details are logged and I'm notified as somebody also tried
a dictionary attack on me.
So now my system is all ruled up and I can only use it from here, if I am
out and about I can't use it.
Anybody have any ideas about what I can do to try and find this security
hole??? I am sure it's a bug as surely nobody should have been able to log
into asterisk WITHOUT a password (from what i can see!!) and make calls out
leaving the source and id as UNKNOWN or ASTERISK.
Thanks in advance
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20090325/275b25c3/attachment.htm
More information about the asterisk-users
mailing list