Asterisk hacked

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Asterisk hacked

Postby dspaan » Mon Aug 31, 2020 5:09 pm

Today i made the stupid mistake of forgetting to start the firewall on a development server and it was hacked within two hours. They managed to get the registration info from the carrier and start dialing with it. Can anyone point out how they might have done this without SSH access?

The only way i can think of is by direct database access.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby carpenox » Mon Aug 31, 2020 5:14 pm

that doesnt make sense tho because mysql should be 127.0.0.1 only right? check the directory /t,p and tell me what hidden directories you see there
Alma Linux 9.4 | SVN Version: 3878 | DB Schema Version: 1718 | Asterisk 18.18.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2392
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Asterisk hacked

Postby dspaan » Mon Aug 31, 2020 5:24 pm

You're right, i'm confused with another way to access that database but that still requires SSH.

In /srv/www/htdocs i don't see any new directories and neither in the root directory. I checked the asterisk messages log and the calls were made directly via the trunk and not through vicidial.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby carpenox » Mon Aug 31, 2020 5:36 pm

check in /tmp - "cd /tmp"

there is a new exploit that loads a small payload file in that directory and runs a bitcoin mining program and backdoor
Alma Linux 9.4 | SVN Version: 3878 | DB Schema Version: 1718 | Asterisk 18.18.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2392
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Asterisk hacked

Postby dspaan » Mon Aug 31, 2020 5:57 pm

This is what i see:
Image
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby carpenox » Mon Aug 31, 2020 8:36 pm

Looks good. You didn't have anything in the access log?
Alma Linux 9.4 | SVN Version: 3878 | DB Schema Version: 1718 | Asterisk 18.18.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2392
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Asterisk hacked

Postby dspaan » Tue Sep 01, 2020 1:50 am

No, i checked access log. So still wondering how they acquired those credentials.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby mubeen » Wed Sep 02, 2020 5:27 pm

Check crontab, the exploit carpenox is talking about usually removes entries from crontab and add its own cron job, not only by name of div, div1 etc but .ICE-unix as well
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
mubeen
 
Posts: 116
Joined: Mon Feb 19, 2018 1:49 pm

Re: Asterisk hacked

Postby dspaan » Fri Sep 11, 2020 3:00 pm

I restored a snapshot of the hacked server and checked crontab but nothing unusual in there. During the exposure we also got this notifications from our datacenter but i assume that's just a standard warning because the firewall was open. Still no idea how they got in and found carrier credentials.

What is an 'Open Portmapper Server'?
The port mapper (rpc.portmap or rpcbind) is a remote procedure call (RPC) service running on TCP or UDP port 111 that runs on servers to provide information about running services and their corresponding port numbers, such as NFS.

Why would this be bad?
Once an attacker discovers an active port 111 on a device, he can use this information to learn about running services, which is a very important first step for a hacking attack.

Additionally, hackers have also found this feature useful in performing a special type of DDoS attack called an 'Amplification Attack'.

The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.

That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet 'from' a forged source IP address and have the server (or servers) send large replies to the victim.

Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet.

Recommended action
We recommend you to only allow RPC calls from trusted sources. This can be achieved by dropping all traffic for RPC services on your local firewall and only allowing connections from trusted IP addresses.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby carpenox » Fri Sep 11, 2020 5:33 pm

so one of your services was probably exploited with an 0day. No way to really tell without the logs
Alma Linux 9.4 | SVN Version: 3878 | DB Schema Version: 1718 | Asterisk 18.18.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2392
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Asterisk hacked

Postby qeshmja » Fri Sep 11, 2020 5:48 pm

I used to work with remote administration tools in cybersecurity.
check if you got infected with a malware or a RAT, someone using your carrier dsnt mean they got access to it via vicidial or asterisk.
Maybe they got all your SIP info from your e-mail, or you stored your user/passwords ..etc in some .txt files just like every human on this planet.
or someone got your vicidial user/password.

exploiting asterisk to gain access and use your voip provider.. nah!
to much work when they are 100 easier ways.
ViciBox 9.0.3 =
OpenSuSE Leap v.15.1 64-bit | Kernel v.4.12.14 | Asterisk v.13.29.2-vici | DAHDI v.3.1.0 | LibPRI v.1.6.0 | Amfletec VoiceSync v.1.3.8 | OpenR2 v.1.3.3 for MFC/R2 support
| ViciDial SVN revision 3225 – Version 2.14-750a Build 200409-1719
qeshmja
 
Posts: 12
Joined: Mon Jun 08, 2020 5:12 pm

Re: Asterisk hacked

Postby muratyilmaz.dev » Tue Jun 22, 2021 8:55 am

@dspaan I faced a similar situation. Were you able to reach a conclusion?
Murat Yılmaz / Software Developer - agola.net - Turkey
ViciBox v.9.0.3 | Version: 2.14b0.5 | SVN Version: 3346 | DB Schema Version: 1615 | Build: 200630-2117 | Cloud-Cluster
muratyilmaz.dev
 
Posts: 17
Joined: Sun Feb 16, 2020 4:24 am
Location: Turkey

Re: Asterisk hacked

Postby dspaan » Tue Jun 22, 2021 9:53 am

No i didn't have time to investigate further. All i can say is change your SSH port to something else and better yet, use whitelisting.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby carpenox » Tue Jun 22, 2021 11:50 am

Yes, please secure your servers: I wrote this article a couple months ago and I can not stress enough, please use it @all


https://cyburityllc.com/?p=1977
Alma Linux 9.4 | SVN Version: 3878 | DB Schema Version: 1718 | Asterisk 18.18.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2392
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Asterisk hacked

Postby dspaan » Tue Jun 22, 2021 12:09 pm

Another thing that should be a default step to secure vicidial is change the cron password but i haven't delved deep enough to analyze what the correct procedure is (and impact of incorrectly changing it). I did find this but i don't know if this Poundteam script is still up-to-date for the latest vicidial SVN: http://cc24x7.blogspot.com/2016/04/how- ... e-and.html
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby carpenox » Tue Jun 22, 2021 2:18 pm

you can just change it during the install.pl script and mirror it in admin > servers

but either way it wont matter with IP whitelist
Alma Linux 9.4 | SVN Version: 3878 | DB Schema Version: 1718 | Asterisk 18.18.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2392
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Asterisk hacked

Postby muratyilmaz.dev » Tue Jun 22, 2021 3:10 pm

Thanks a lot for the information. I skimmed the article. But I don't use whitelist. My agents and their locations are too many, so customers do not prefer it. I want to use Blacklist and Geoblock.

My problem is:
There is a physical firewall on the datacenter. Here, 21,22,23,3306,5432 ports are defined only to my ip address.

They take my sip information from Vicidial and make a direct call. So it doesn't exit through my Asterisk. With a softphone, they make calls directly using the voip account. I am changing the password of my voip account. I'm also updating the vicidial.
They're hacking again.

I found resources with an attack on agc/manager_send.php

I don't know if the internal firewall blocks this.

I will get support from an expert tomorrow. I'll let you know the results.

http://support.vicidial.de/mobile.php?p ... w=&lang=en

https://www.youtube.com/watch?v=MWUugOb9z4c&t=43s
Murat Yılmaz / Software Developer - agola.net - Turkey
ViciBox v.9.0.3 | Version: 2.14b0.5 | SVN Version: 3346 | DB Schema Version: 1615 | Build: 200630-2117 | Cloud-Cluster
muratyilmaz.dev
 
Posts: 17
Joined: Sun Feb 16, 2020 4:24 am
Location: Turkey

Re: Asterisk hacked

Postby dspaan » Tue Jun 22, 2021 3:27 pm

You should use dynamic portal, that way everyone can login through a special URL and they whitelist themselves by logging in and when they are inactive or the IP changes it gets automatically removed from the firewall.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby muratyilmaz.dev » Thu Jun 24, 2021 6:52 am

Hi,
Yes. I reviewed Dynamic Portal. I used the links below. Thank you so much.

https://www.youtube.com/watch?v=3ID7IRT3zUE

https://cyburityllc.com/?p=1765

I activated it. Everything is very beautiful. But there is one problem. Most of the agents are old :)

Therefore to them

https://site.com:446/valid8_or_custom_url.php

It is very difficult for me to tell them to use a url like. Wouldn't it be more perfect if there was only one validation.php file that would be allowed to run under 80 or 443 vhosts.

for example,
https://site.com/valid8_or_custom_url.php

I think it's a request against firewall - vhost logic. I do not know. Maybe something like this in Apache rules.

Listen to port 80...
Listen to port 443...

If no response, go to port 446.

https://site.com:446/index.php

I think this will go against method validation logic. I'm curious about your opinions.
Note: You can reply so that agents can bookmark the validation url :)
Murat Yılmaz / Software Developer - agola.net - Turkey
ViciBox v.9.0.3 | Version: 2.14b0.5 | SVN Version: 3346 | DB Schema Version: 1615 | Build: 200630-2117 | Cloud-Cluster
muratyilmaz.dev
 
Posts: 17
Joined: Sun Feb 16, 2020 4:24 am
Location: Turkey

Re: Asterisk hacked

Postby dspaan » Thu Jun 24, 2021 7:03 am

The URL for dynamic portal is a custom port and difficult URL deliberatly so it's not obvious for hackers to guess or scan. Otherwise it would defy the purpose, you could just open up port 80 on your main URL.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Asterisk hacked

Postby muratyilmaz.dev » Thu Jun 24, 2021 7:20 am

You said "you could just open up port 80 on your main URL".

Can I activate only 1 page while white or dynamic method is active?

https://site.com/index.php

firewall-cmd --zone=public .... do I need to write such a rule?
Murat Yılmaz / Software Developer - agola.net - Turkey
ViciBox v.9.0.3 | Version: 2.14b0.5 | SVN Version: 3346 | DB Schema Version: 1615 | Build: 200630-2117 | Cloud-Cluster
muratyilmaz.dev
 
Posts: 17
Joined: Sun Feb 16, 2020 4:24 am
Location: Turkey


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 34 guests