[asterisk-users] Hacking

[John Runyon]

Just to jump in on this, this just started happening to our system a couple
days ago. (To the tune of 3GB of webserver access logs yesterday)
Our server gives them a 403 for /yealink/ (and a 404 for everything else) -
given that they're still trying to bruteforce it, it looks like I'm gonna
be changing it to give them a 404.
Looks like someone's making a big effort to  find provisioning files though.

On Mon, Jun 17, 2019, 13:35 John Kiniston <johnkiniston at gmail.com> wrote:

>
>
> On Sun, Jun 16, 2019 at 3:37 PM John T. Bittner <john at xaccel.net> wrote:
>
>> Anyone know how someone can hack an asterisk box and register with every
>> single account on the box.
>>
>> This box only has 3 accounts, with very complex passwords. Have VoIP
>> blacklist setup and fail2ban…
>>
>
> I've seen this happen when web-based provisioning is used, I have seen
> attempts to download configuration files off of my provisioning server
> increase in frequency over the last two years.
>
> The 'Hacker' will do a get on /polycom /cisco /yealink /aastra /mitel etc,
> If they get a valid response they will start enumerating mac addresses
>
> /polycom/0004F2018101.cfg
> /polycom/0004F2018102.cfg
> ...
> /polycom/0004F2018109.cfg
>
> Then they will use any credentials gained in the download attack to place
> calls, registering as needed.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190618/566f8418/attachment.html>