[asterisk-users] Hacking

John T. Bittner john at xaccel.net
Sun Jun 16 18:13:02 CDT 2019 

I took a look for that, Mysql running but blocked in the firewall.
I do have a web gui but its hides the passwords + has a single login for admin with complex password.
Even if they hacked the web site, they have no way of getting the passwords my configs are static in the asterisk folder.
SSH is blocked.

Logs do not show any http access, secure or any other fingerprints.

I am going to honeypot this box to see if I can capture there invites.

John
Xaccel



From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Dovid Bender
Sent: Sunday, June 16, 2019 6:59 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] Hacking

John,

There are a lot of factors at play for instance are you using a gui that has a known vlun? Is there mysql running on the box with a simple password? Perhaps they didnt hack your PBX but they comprised a SIP phone  and once they had the credentials  they made calls? Do you have a provisioning system?

We have seen all of the above. Most of the compromises we are seeing these days is either via a Provisioning server or phones that are accessible on the internet with weak passwords




Regards,

Dovid
From: john at xaccel.net<mailto:john at xaccel.net>
Sent: June 16, 2019 18:37
To: asterisk-users at lists.digium.com<mailto:asterisk-users at lists.digium.com>
Reply-to: asterisk-users at lists.digium.com<mailto:asterisk-users at lists.digium.com>
Subject: [asterisk-users] Hacking


Anyone know how someone can hack an asterisk box and register with every single account on the box.
This box only has 3 accounts, with very complex passwords. Have VoIP blacklist setup and fail2ban…

The hackers were able to make 2 calls to Cuba before my alerting system texted me.

I am running asterisk 16.3 with PJSIP.

This is my only box open to the outside world, a requirement for this one customer.
Looked into my logs… can't find anything out of the ordinary.


Any ideas ?



  Contact:  <Aor/ContactUri..............................> <Hash....> <Status> <RTT(ms)..>
==========================================================================================

  Contact:  12120001001/sip:12120001001 at 5.79.64.23<mailto:12120001001 at 5.79.64.23>:9227    ee80678930 NonQual         nan
  Contact:  848842405/sip: 848842405 at 5.79.64.23<mailto:848842405 at 5.79.64.23>:9227                  031ed703ba NonQual         nan
  Contact:  848842405/sip: 848842405 at 5.79.64.23<mailto:848842405 at 5.79.64.23>:9227                  031ed703ba NonQual         nan
  Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9227      959fc8fbf4 NonQual         nan
  Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9227      959fc8fbf4 NonQual         nan
  Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9228      d7bf838918 NonQual         nan
  Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9228      d7bf838918 NonQual         nan

Any helps is much appreciated.


John Bittner
CTO
[xaccellogoemail]
380 US Highway 46, Suite 500
Totowa, NJ 07512
Phone: 201.806.2602 x2405<tel:2018062602,2405>
Fax:       201.806.2604<tel:2018062604>
Cell:       973.390.1090<tel:9733901090>
www.xaccel.net<http://www.xaccel.net/>

CONFIDENTIALITY NOTICE:
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential
and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail.

________________________________


Teach Canit xAntispam if this mail is spam:
Spam<http://mx1.xantispam.net/canit/b.php?c=s&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net>
Not spam<http://mx1.xantispam.net/canit/b.php?c=n&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net>
Forget previous vote<http://mx1.xantispam.net/canit/b.php?c=f&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/48587cc5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4300 bytes
Desc: image001.png
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/48587cc5/attachment-0001.png>

More information about the asterisk-users mailing list