<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:712001773;
mso-list-type:hybrid;
mso-list-template-ids:-844845084 -1875364460 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0pt;
text-indent:-.25in;}
@list l1
{mso-list-id:2061320044;
mso-list-type:hybrid;
mso-list-template-ids:1799504374 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>I’ve seen the following exploits of Asterisk / FreePBX boxes:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:42.0pt;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Default PlcmSpIp username and password for Polycom provisioning<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:42.0pt;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Insecure SIP usernames and secrets<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:42.0pt;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>3)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>FreePBX GUI accessable from the internet<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:42.0pt;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>4)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>OS remote exploit (maybe ssh/ssl exploit)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Mitigation options:<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Don’t use an easy to guess or default password on provisioning servers.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Use secure secrets. Users never enter the secret so we use a 32 char random string of characters for the password<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>3)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Don’t allow connections to port 80 from off-site.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><span style='mso-list:Ignore'>4)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Make sure your OS and SSH/SSL is updated packages are updated.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Contact your carrier and ask about any possible fraud detection. Verizon SIP service has that feature. I don’t think Level 3 has. Don’t know about CenturyLink. I also recommend locking down the system very tight with IP tables – only allow whitelisted traffic rather than only blocking blacklisted traffic.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>Fraud is a constant issue for everyone.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] <b>On Behalf Of </b>Steven McCann<br><b>Sent:</b> Wednesday, January 28, 2015 4:03 PM<br><b>To:</b> asterisk-users@lists.digium.com<br><b>Subject:</b> [asterisk-users] Investigating international calls fraud<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal>Hello,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm investigating a situation where there was a hundreds of minutes of calls from an internal SIP extension to an 855 number in Cambodia, resulting in a crazy ($25,000+) bill from the phone company. I'm investigating, but can anyone provide some feedback on what's happened here? I'm investigating how this happened as well as what types of arrangements can be made with the phone company (CenturyLink in Texas).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Some details:<o:p></o:p></p></div><div><p class=MsoNormal>* PBX is located in Texas<o:p></o:p></p></div><div><p class=MsoNormal>* Phone carrier is CenturyLink<o:p></o:p></p></div><div><p class=MsoNormal>* FreePBX distro running asterisk 1.8.14<o:p></o:p></p></div><div><p class=MsoNormal>* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin password (argh!). Phone is used by many different people.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>More PBX setting details:<o:p></o:p></p></div><div><p class=MsoNormal>* inbound SIP traffic is not allowed through the firewall<o:p></o:p></p></div><div><p class=MsoNormal>* internal network is not accessed by many<o:p></o:p></p></div><div><p class=MsoNormal>* FreePBX web interface <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><b>Questions I have at this moment:</b><o:p></o:p></p></div><div><p class=MsoNormal>1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk PBX?<o:p></o:p></p></div><div><p class=MsoNormal>2) how does this typically get sorted out with the phone company? they are charging $6.25 per minute for the Texas to Cambodia calls. The phone system owners are at fault, but how have these situations worked out in the past?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'll be tightening things up, but any feedback is appreciated.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Steve<o:p></o:p></p></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>