[asterisk-users] SIP Asterisk Hacked (1.6.0.6)
John Novack
jnovack at stromberg-carlson.org
Wed Mar 25 10:47:25 CDT 2009
I screen all incoming calls for unknown, asterisk, anonymous,restricted
and perhaps others that don't immediately come to mind. Incoming calls
don't lead either to any termination that would cost me.
You should be smart enough to set up a way to use when you are "out and
about", keeping in mind that, like human companions, there is no perfect
solution. Canines are the only perfect companions.
It is a continuing war, the kiddies find a hole, you plug it, they find
another hole, you plug it, until someone is fed up with the game.
John Novack
David Anthony O Reilly wrote:
> Hi all
>
> I have been hacked but no idea how!!! I noticed somebody in Eastern
> Europe came from an American IP and tried to call loads of
> international numbers. Thankfully I had no credit with my VOIP out
> provider so the calls went nowhere. But if I had credit it would all
> have been used up.
>
> I noticed hundreds of calls being made from clid and src being either
> UNKNOWN or as ASTERISK.
>
> Here are a sample:
>
> 2009-03-24 16:47:14 "asterisk" <asterisk> asterisk 0037322483581
> default SIP/66.199.242.101-09da9128 IAX2/out-1497 Dial
> iax2/out/0037322483581 8 6 ANSWERED 3 1237913234.1077
> 2009-03-24 16:47:15 "Unknown" <Unknown> Unknown 00380449536745 default
> SIP/66.199.242.101-09da5230 IAX2/out-516 Dial iax2/out/00380449536745
> 8 7 ANSWERED 3 1237913235.1081
>
> I've reported it to the authorities and they are doing a backtrace to
> find the hacker, and in the meantime I have set my firewall that ONLY
> SIP requests from my own IP address can connect so my home phones can
> connect.
>
> My config is ALL NORMAL - I am careful about putting it up here in
> case somebody else tries a fast one on me, but what I can tell you is
> that my passwords are all SHA1 substrings and there is no way in hell
> somebody could guess them. My box was not compromised either, as I
> went through my message logs, my ISP also has a server firewall rule
> set up so that one false password and the details are logged and I'm
> notified as somebody also tried a dictionary attack on me.
>
> So now my system is all ruled up and I can only use it from here, if I
> am out and about I can't use it.
>
> Anybody have any ideas about what I can do to try and find this
> security hole??? I am sure it's a bug as surely nobody should have
> been able to log into asterisk WITHOUT a password (from what i can
> see!!) and make calls out leaving the source and id as UNKNOWN or
> ASTERISK.
>
> Thanks in advance
> David
> ------------------------------------------------------------------------
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
--
Dog is my co-pilot
More information about the asterisk-users
mailing list