[asterisk-users] [OFF LIST] Re: Hacking

Dovid Bender dovid at telecurve.com
Sun Jun 16 18:07:08 CDT 2019 

John,

I spoke about security last year at Astricon [1]. If I had to guess without
even knowing what your setup is I would say they either got in via an
insecure phone (either default pass or one with a known security issue) or
via  a provisioning server. If you want I can help poke around your system
tomorrow to see if we can figure out how they get in.

Regards,

Dovid


[1] https://www.youtube.com/watch?v=9Wzzlo1kfTQ&t=1s

On Sun, Jun 16, 2019 at 6:37 PM John T. Bittner <john at xaccel.net> wrote:

> Anyone know how someone can hack an asterisk box and register with every
> single account on the box.
>
> This box only has 3 accounts, with very complex passwords. Have VoIP
> blacklist setup and fail2ban…
>
>
>
> The hackers were able to make 2 calls to Cuba before my alerting system
> texted me.
>
>
>
> I am running asterisk 16.3 with PJSIP.
>
>
>
> This is my only box open to the outside world, a requirement for this one
> customer.
>
> Looked into my logs… can't find anything out of the ordinary.
>
>
>
>
>
> Any ideas ?
>
>
>
>
>
>
>
>   Contact:  <Aor/ContactUri..............................> <Hash....>
> <Status> <RTT(ms)..>
>
>
> ==========================================================================================
>
>
>
>   Contact:  12120001001/sip:12120001001 at 5.79.64.23:9227    ee80678930
> NonQual         nan
>
>   Contact:  848842405/sip: 848842405 at 5.79.64.23:9227
> 031ed703ba NonQual         nan
>
>   Contact:  848842405/sip: 848842405 at 5.79.64.23:9227
> 031ed703ba NonQual         nan
>
>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227      959fc8fbf4
> NonQual         nan
>
>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227      959fc8fbf4
> NonQual         nan
>
>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228      d7bf838918
> NonQual         nan
>
>   Contact:  ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228      d7bf838918
> NonQual         nan
>
>
>
> Any helps is much appreciated.
>
>
>
>
>
> John Bittner
>
> CTO
>
> [image: xaccellogoemail]
>
> 380 US Highway 46, Suite 500
>
> Totowa, NJ 07512
>
> Phone: 201.806.2602 x2405
>
> Fax:       201.806.2604
>
> Cell:       973.390.1090
>
> www.xaccel.net
>
>
>
>
>
>
> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information which should not be shared or
> forwarded. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the e-mail.*
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/4d3723c1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4300 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/4d3723c1/attachment.png>

More information about the asterisk-users mailing list