Hacked via /tmp perl scripts

wa1rkt · March 2, 2015, 10:45pm

I run a PBX at my home as a pro-bono activity for a non-profit a few towns away from here with statewide employees/members that have IP phones in their homes.

A couple of days ago I detected that the PBX was being used to make overseas phone calls… which are prohibited by configuration in extensions_custom.conf so how was he able to do it?.. pretty sure I know how, but I’m getting ahead of myself.

What happened is that somehow someone was able to get in as the asterisk user, evidence shows via the Apache web server, and inserted some perl scripts into /tmp, one of which looks a lot like this…

http://www.voip-info.org/wiki/view/Bulk … g+Asterisk

… with some additions, which he (non-gender-specific “he”, used hereafter for convenience) used to execute some commands, add to my extensions.conf file, steal some passwords, and make some overseas phone calls.

From the httpd logs it appears the hacker was able to steal my /etc/amportal.conf and /etc/asterisk/sip_additional.conf files, so he has all of my passwords and my users’ passwords used to connect their IP phones to the PBX.

One of the things he was able to do is add the following to the end of my extensions.conf file:

[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[docalloutnow]
exten => _X.,1,Wait(999999999)

which he used to generate a few calls to the UK and a large number of calls to a number in Bosnia. Looks like the total damage, before I was able to shut it down, was around US$135 added to my phone bill this month.

In addition to the UK and Bosnia calls, my logs show a large number of calls to 999999999. What is that, and what effect if any does it have (and why would a hacker do that)?

In every case, the calls to 999999999, and the calls to Bosnia, were from the “docalloutnow” context, which looks like it bypasses all of the security stuff I have in my extensions_custom.conf file that are intended to prohibit toll calls including international calls.

My main question is… other than the US$135 phone bill and the need to go through and change a few hundred passwords, most of which are in phones installed at the non-profit’s home office, what damage has likely been done here? Am I reasonable in my speculation that the hacker got in via the web server? The perl script was in the /tmp directory and owned by the asterisk user, and the web browser is owned by the asterisk user (that’s how AsteriskNOW did things). There is, so far, no evidence that the hacker was able to gain root access to the host; if he did, no doubt he would know enough to clean out all the log files of any evidence of his actions, and that didn’t happen (of course, I changed the root password anyway, along with my own password on the host).

After I discovered all of this I shut down the PBX while I figured all this out, but needed to bring it back up again this morning because the non-profit’s backup phone system wasn’t working (I have told them many times that they must, Must, absolutely MUST (!!!) keep a backup phone system working in case of an Internet interruption and their access to the PBX goes down, but they have not been listening). I have the web server shut down on the PBX machine, and have restricted SIP access (in the firewall) to only the non-profit’s main office a few towns away from here… that means that all of their other employees or members, that aren’t at the home office, are shut down from the PBX until further notice. They are not going to be especially happy.

Final questions… how much of this have you all seen before?.. and is there a writeup anywhere that covers all this stuff and what to do about it, and how to guard against it in the future? I am going to be moving the PBX to a different host with a fresh OS install, just in case, and would like to do it right this time.

Thanks…

wa1rkt · March 2, 2015, 10:47pm

Sorry, neglected to say… PBX is FreePBX / AsteriskNOW 2.0.2.

tm1000 · March 3, 2015, 1:19am

What is the FreePBX version.

howardsl2 · March 3, 2015, 2:01am

Sorry to hear about your loss. I recommend that you rebuild a new system from scratch, and apply my IPTables rules which could help to protect your PBX. You can find my tutorial (and a related setup guide) on google with keywords: asterisk iptables security

wa1rkt · March 3, 2015, 2:16am

2.10.1.9. Yes, I know it’s old, but it has worked well up to now and so far I have not found a workable way to upgrade to the latest without doing a complete rebuild from ground zero which will take weeks.

wa1rkt · March 3, 2015, 2:17am

That is the plan… reinstall the system on a new server and restore the PBX configuration from backups created well before all this happened.

tm1000 · March 3, 2015, 2:42am

I’m not giving any comment to using 2.10. The point I am going to make is that we announced a security vulnerability to FreePBX 2.10.1.14 and lower in October, which was fixed with 2.10.1.15. I advise you to keep up to date on these things in the future. Through email or other means so that you dont get burned again.

wa1rkt · March 3, 2015, 4:43am

Good evening, Andrew.

Thanks, believe me I will endeavor to be more proactive in the future. I read the post on the vulnerability and checked my Admin->Module Admin, and I do not see an “Asterisk Recording Interface” or “ARI”. I do see “Recordings” but that is at revision 3.3.11.8 whereas the “Critical FreeBPX RCA Vulnerability” topic mentioned upgrading ARI to revision 2.11.1.5.

I don’t see where I even have ARI installed. How do I tell for sure?

Thanks…

Eric

tm1000 · March 3, 2015, 5:46am

It’s called framework ARI. It has nothing to do with the module called “recordings”. Also I linked to the wrong thread. You are indeed vulnerable to an exploit in framework and probably ARI at the same time

Here is the thread I meant to link to: Security Vulnerability Notice

wa1rkt · March 3, 2015, 1:36pm

OK, I have upgraded “FreePBX ARI Framework” from 2.10.0.5 to 2.11.1.5. Right?

You mentioned that you advise “to keep up to date on these things in the future through email or other means…”. Where can I sign up to receive email alerts on this sort of thing?

Also do all of these kinds of alerts get posted into Blog->Security? IOW if I read through that, will I get everything, and if not, where else should I read?

As a general philosophy about upgrading things, I’ve learned to not fix things that aren’t broke, meaning if something is working I tend not to mess with it by upgrading to something else that might cause problems. So, a lot of the modules on this installation have upgrades available. I suppose I should rethink that, now that this has happened so… is the general consensus wisdom that I should upgrade everything to the latest whether I think I need it or not?

Note that so far, “upgrading everything” still means sticking with 2.10. Not long after I did the initial installation, but after I had added a large number of the non-profit’s users to the system, I tried upgrading, to 2.11 I believe it was (the one that’s based on CentOS 6.x rather than 5.9). I installed the new version to a newly-configured VMware virtual machine and then tried exporting a backup from the old machine and importing it to the new. It thoroughly and totally hosed the FreePBX GUI and made it unuseable. Many nights spent on this forum (actually the predecessor forum, I think) asking for help in getting a clean upgrade, produced nothing useable. Hence, I have stuck with 2.10.

Has that situation changed? Is there a clean way to install the latest version on a separate machine and then import a user base of a few hundred users, along with all the other system configurations, from 2.10? I’ll be happy to do that if it can be done without having to re-establish everything from scratch, which as I say will take weeks or months to complete in my spare time.

Thank you from the bottom of my heart for all of your help…

Eric

xrobau · March 3, 2015, 7:06pm

I think the ‘Bulk Extensions’ module will help you there. That’ll let you dump all your user configuration, and import it into a new system.