[asterisk-users] SIP Asterisk Hacked (1.6.0.6)

ContactTel Business lists at contacttel.com
Wed Mar 25 09:48:17 CDT 2009 

Yes, If you are using IAX2 , you could check iax.conf and check for a default config.. 

 

[default] is used when non auth’ed usually.

 

 

 



1-888-372-6501
sales at contacttel.com
 <http://www.contacttel.com/> http://www.contacttel.com

 

 

 

 

From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of David Anthony O Reilly
Sent: March-25-09 10:40 AM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] SIP Asterisk Hacked (1.6.0.6)

 

Hi all

 

I have been hacked but no idea how!!! I noticed somebody in Eastern Europe came from an American IP and tried to call loads of international numbers. Thankfully I had no credit with my VOIP out provider so the calls went nowhere. But if I had credit it would all have been used up.

 

I noticed hundreds of calls being made from clid and src being either UNKNOWN or as ASTERISK.

 

Here are a sample:

 

2009-03-24 16:47:14  "asterisk" <asterisk>  asterisk           0037322483581          default            SIP/66.199.242.101-09da9128           IAX2/out-1497           Dial            iax2/out/0037322483581       8          6          ANSWERED  3          1237913234.1077

                                    

2009-03-24 16:47:15  "Unknown" <Unknown>        Unknown        00380449536745            default SIP/66.199.242.101-09da5230           IAX2/out-516            Dial iax2/out/00380449536745         8          7          ANSWERED  3                                 1237913235.1081

 

I've reported it to the authorities and they are doing a backtrace to find the hacker, and in the meantime I have set my firewall that ONLY SIP requests from my own IP address can connect so my home phones can connect.

 

My config is ALL NORMAL - I am careful about putting it up here in case somebody else tries a fast one on me, but what I can tell you is that my passwords are all SHA1 substrings and there is no way in hell somebody could guess them. My box was not compromised either, as I went through my message logs, my ISP also has a server firewall rule set up so that one false password and the details are logged and I'm notified as somebody also tried a dictionary attack on me.

 

So now my system is all ruled up and I can only use it from here, if I am out and about I can't use it.

 

Anybody have any ideas about what I can do to try and find this security hole??? I am sure it's a bug as surely nobody should have been able to log into asterisk WITHOUT a password (from what i can see!!) and make calls out leaving the source and id as UNKNOWN or ASTERISK.

 

Thanks in advance

David

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20090325/395ea16f/attachment.htm

More information about the asterisk-users mailing list