[asterisk-users] [OFF LIST] Re: Hacking

Dovid Bender dovid at telecurve.com
Sun Jun 16 18:08:18 CDT 2019 

oops. that was supposed to be off list.....


On Sun, Jun 16, 2019 at 7:07 PM Dovid Bender <dovid at telecurve.com> wrote:

> John,
>
> I spoke about security last year at Astricon [1]. If I had to guess
> without even knowing what your setup is I would say they either got in via
> an insecure phone (either default pass or one with a known security issue)
> or via  a provisioning server. If you want I can help poke around your
> system tomorrow to see if we can figure out how they get in.
>
> Regards,
>
> Dovid
>
>
> [1] https://www.youtube.com/watch?v=9Wzzlo1kfTQ&t=1s
>
> On Sun, Jun 16, 2019 at 6:37 PM John T. Bittner <john at xaccel.net> wrote:
>
>> Anyone know how someone can hack an asterisk box and register with every
>> single account on the box.
>>
>> This box only has 3 accounts, with very complex passwords. Have VoIP
>> blacklist setup and fail2ban…
>>
>>
>>
>> The hackers were able to make 2 calls to Cuba before my alerting system
>> texted me.
>>
>>
>>
>> I am running asterisk 16.3 with PJSIP.
>>
>>
>>
>> This is my only box open to the outside world, a requirement for this one
>> customer.
>>
>> Looked into my logs… can't find anything out of the ordinary.
>>
>>
>>
>>
>>
>> Any ideas ?
>>
>>
>>
>>
>>
>>
>>
>>   Contact:  <Aor/ContactUri..............................> <Hash....>
>> <Status> <RTT(ms)..>
>>
>>
>> ==========================================================================================
>>
>>
>>
>>   Contact:  12120001001/sip:12120001001 at 5.79.64.23:9227    ee80678930
>> NonQual         nan
>>
>>   Contact:  848842405/sip: 848842405 at 5.79.64.23:9227
>> 031ed703ba NonQual         nan
>>
>>   Contact:  848842405/sip: 848842405 at 5.79.64.23:9227
>> 031ed703ba NonQual         nan
>>
>>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227      959fc8fbf4
>> NonQual         nan
>>
>>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227      959fc8fbf4
>> NonQual         nan
>>
>>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228      d7bf838918
>> NonQual         nan
>>
>>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228      d7bf838918
>> NonQual         nan
>>
>>
>>
>> Any helps is much appreciated.
>>
>>
>>
>>
>>
>> John Bittner
>>
>> CTO
>>
>> [image: xaccellogoemail]
>>
>> 380 US Highway 46, Suite 500
>>
>> Totowa, NJ 07512
>>
>> Phone: 201.806.2602 x2405
>>
>> Fax:       201.806.2604
>>
>> Cell:       973.390.1090
>>
>> www.xaccel.net
>>
>>
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
>> is for the sole use of the intended recipient(s) and may contain
>> confidential and privileged information which should not be shared or
>> forwarded. Any unauthorized review, use, disclosure or distribution is
>> prohibited. If you are not the intended recipient, please contact the
>> sender by reply e-mail and destroy all copies of the e-mail.*
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/6c62b18d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4300 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/6c62b18d/attachment.png>

More information about the asterisk-users mailing list