<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Blocking udp 5060 in the packet filter in unwanted directions should
keep asterisk from setting up SIP connections.<br>
The real remedy is to figure out how the hacker got in and close the
backdoor.<br>
I think a lot of us would be interested in what was the
vulnerability.<br>
And if it turns out that it was a configuration mistake, don't be
shy: for every mistake you did in your config, there are at least a
thousand people who did the same mistake. You help them (us) by
disclosing the error, and if you have already changed the
configuration you should not have the error at that time.<br>
<br>
On 2010-11-22 17:37, Danny Nicholas wrote:
<blockquote
cite="mid:201011221636.oAMGaxsY002954@debsweb.debsinc.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 11 (filtered
medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:smarttagtype
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="country-region">
<o:smarttagtype
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place">
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<meta http-equiv="Content-Style-Type" content="text/css">
<div class="Section1">
<div>
<div class="MsoNormal" style="text-align: center;"
align="center"><font size="3" face="Times New Roman"><span
style="font-size: 12pt;">
<hr tabindex="-1" size="2" align="center"
width="100%">
</span></font></div>
<p class="MsoNormal"><b><font size="2" face="Tahoma"><span
style="font-size: 10pt; font-family: Tahoma;
font-weight: bold;">From:</span></font></b><font
size="2" face="Tahoma"><span style="font-size: 10pt;
font-family: Tahoma;">
<a class="moz-txt-link-abbreviated" href="mailto:asterisk-users-bounces@lists.digium.com">asterisk-users-bounces@lists.digium.com</a>
[<a class="moz-txt-link-freetext" href="mailto:asterisk-users-bounces@lists.digium.com">mailto:asterisk-users-bounces@lists.digium.com</a>] <b><span
style="font-weight: bold;">On Behalf Of </span></b>Gary
Kuznitz <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Monday, November 22, 2010
10:23 AM<br>
<b><span style="font-weight: bold;">To:</span></b>
Asterisk Users Mailing List -
Non-Commercial Discussion<br>
<b><span style="font-weight: bold;">Subject:</span></b>
[asterisk-users] Someone
has hacked into our system</span></font><o:p></o:p></p>
</div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">Someone has hacked into
our system and is making calls overseas. </span></font><span
lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">How can I:</span></font><span
lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span
style="font-size: 12pt;" lang="EN"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">1. Find out the where the
calls are originating from?</span></font><span
lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">2. Block all calls that
are not authorized?</span></font><span lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span
style="font-size: 12pt;" lang="EN"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">Our system is in the <st1:country-region
w:st="on"><st1:place w:st="on">USA</st1:place></st1:country-region>.</span></font><span
lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">Only calls from inside our
LAN are allowed.</span></font><span lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span
style="font-size: 12pt;" lang="EN"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">Thank you,</span></font><span
lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span
style="font-size: 12pt;" lang="EN"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Comic Sans MS"><span
style="font-size: 10pt; font-family: "Comic Sans
MS";" lang="EN">Gary Kuznitz</span></font><span
lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span
style="font-size: 12pt;" lang="EN"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="3" color="navy" face="Times
New Roman"><span style="font-size: 12pt; color: navy;"
lang="EN">For #1, start with the CDR.
You know that X is calling an overseas number.
Determine who X is (or is
supposed to be)<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="3" color="navy" face="Times
New Roman"><span style="font-size: 12pt; color: navy;"
lang="EN">For #2 (and the rest of #1)
restrict your dialing access to a known set of IP’s.
If you have 5
phones (softphones or actual handsets), block
everything that doesn’t
start with those 5 IP addresses.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="3" color="navy" face="Times
New Roman"><span style="font-size: 12pt; color: navy;"
lang="EN"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="3" color="navy" face="Times
New Roman"><span style="font-size: 12pt; color: navy;"
lang="EN">The first thing I would do is to
change all of your passwords in sip.conf and do a sip
reload. That will
slow down or temporarily stop the hacker.</span></font><span
lang="EN"> <o:p></o:p></span></p>
</div>
</o:smarttagtype></o:smarttagtype></blockquote>
<br>
</body>
</html>