[asterisk-users] SIP Asterisk Hacked (1.6.0.6)

Martin asterisklist at callthem.info
Fri Mar 27 00:49:34 CDT 2009 

Y, did you have the extension logic to call to PSTN in [default] ???
If yes, then your system was not hacked...

you need to read some documentation and find out the [default] context is
supposed
to be non-secure... if you allow routes to PSTN in [default] then you're
inviting others to call out

Martin

On Wed, Mar 25, 2009 at 9:40 AM, David Anthony O Reilly <oreillda at tcd.ie>wrote:

> Hi all
> I have been hacked but no idea how!!! I noticed somebody in Eastern Europe
> came from an American IP and tried to call loads of international numbers.
> Thankfully I had no credit with my VOIP out provider so the calls went
> nowhere. But if I had credit it would all have been used up.
>
> I noticed hundreds of calls being made from clid and src being either
> UNKNOWN or as ASTERISK.
>
> Here are a sample:
>
> 2009-03-24 16:47:14 "asterisk" <asterisk> asterisk 0037322483581 default
> SIP/66.199.242.101-09da9128 IAX2/out-1497 Dial iax2/out/0037322483581 8 6
> ANSWERED 3 1237913234.1077
>  2009-03-24 16:47:15 "Unknown" <Unknown> Unknown 00380449536745 default
> SIP/66.199.242.101-09da5230 IAX2/out-516 Dial iax2/out/00380449536745 8 7
> ANSWERED 3   1237913235.1081
>
> I've reported it to the authorities and they are doing a backtrace to find
> the hacker, and in the meantime I have set my firewall that ONLY SIP
> requests from my own IP address can connect so my home phones can connect.
>
> My config is ALL NORMAL - I am careful about putting it up here in case
> somebody else tries a fast one on me, but what I can tell you is that my
> passwords are all SHA1 substrings and there is no way in hell somebody could
> guess them. My box was not compromised either, as I went through my message
> logs, my ISP also has a server firewall rule set up so that one false
> password and the details are logged and I'm notified as somebody also tried
> a dictionary attack on me.
>
> So now my system is all ruled up and I can only use it from here, if I am
> out and about I can't use it.
>
> Anybody have any ideas about what I can do to try and find this security
> hole??? I am sure it's a bug as surely nobody should have been able to log
> into asterisk WITHOUT a password (from what i can see!!) and make calls out
> leaving the source and id as UNKNOWN or ASTERISK.
>
> Thanks in advance
> David
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20090327/f1b5437e/attachment.htm

More information about the asterisk-users mailing list