Attempt of hacking of my freepbx

1

Hello.

I just saw that on my freepbx.

Do you know if there is a security hole on my system or if i have to block something to avoid this risk ?

What is this manager ? Is it the web gui of freepbx ?

Thank you

Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:32:32] NOTICE[22871]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:32:32] NOTICE[22871]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:32:34] NOTICE[22872]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'crm'
[2014-08-05 01:32:34] NOTICE[22872]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'crm'
[2014-08-05 01:32:35] NOTICE[22873]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'vtiger'
[2014-08-05 01:32:35] NOTICE[22873]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'vtiger'
[2014-08-05 01:32:37] NOTICE[22874]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'vtiger'
[2014-08-05 01:32:37] NOTICE[22874]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'vtiger'
[2014-08-05 01:32:38] NOTICE[22875]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'phoneglue'
[2014-08-05 01:32:38] NOTICE[22875]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'phoneglue'
[2014-08-05 01:32:40] NOTICE[22876]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'a2billinguser'
[2014-08-05 01:32:40] NOTICE[22876]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'a2billinguser'
[2014-08-05 01:32:41] NOTICE[22877]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'asterisk'
[2014-08-05 01:32:41] NOTICE[22877]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'asterisk'
[2014-08-05 01:32:43] NOTICE[22878]: acl.c:702 ast_apply_acl: Manager User ACL: Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:32:43] NOTICE[22878]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:32:43] NOTICE[22878]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:32:45] NOTICE[22879]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'aacc'
[2014-08-05 01:32:45] NOTICE[22879]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'aacc'
[2014-08-05 01:32:46] NOTICE[22880]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'aacc'
[2014-08-05 01:32:46] NOTICE[22880]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'aacc'
[2014-08-05 01:32:48] NOTICE[22881]: acl.c:702 ast_apply_acl: Manager User ACL: Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:32:48] NOTICE[22881]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:32:48] NOTICE[22881]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:32:49] NOTICE[22882]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'oracle'
[2014-08-05 01:32:49] NOTICE[22882]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'oracle'
[2014-08-05 01:32:51] NOTICE[22883]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'guest'
[2014-08-05 01:32:51] NOTICE[22883]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'guest'
[2014-08-05 01:32:52] NOTICE[22884]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'root'
[2014-08-05 01:32:52] NOTICE[22884]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'root'
[2014-08-05 01:32:55] NOTICE[22885]: acl.c:702 ast_apply_acl: Manager User ACL: Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:32:55] NOTICE[22885]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:32:55] NOTICE[22885]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:32:56] NOTICE[22886]: acl.c:702 ast_apply_acl: Manager User ACL: Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:32:56] NOTICE[22886]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:32:56] NOTICE[22886]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:32:58] NOTICE[22887]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'master'
[2014-08-05 01:32:58] NOTICE[22887]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'master'
[2014-08-05 01:32:59] NOTICE[22888]: acl.c:702 ast_apply_acl: Manager User ACL: Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:32:59] NOTICE[22888]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:32:59] NOTICE[22888]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:33:01] NOTICE[22889]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'monast'
[2014-08-05 01:33:01] NOTICE[22889]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'monast'
[2014-08-05 01:33:02] NOTICE[22919]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'qmon'
[2014-08-05 01:33:02] NOTICE[22919]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'qmon'
[2014-08-05 01:33:04] NOTICE[22920]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'agiadmin'
[2014-08-05 01:33:04] NOTICE[22920]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'agiadmin'
[2014-08-05 01:33:05] NOTICE[22921]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'fop2admin'
[2014-08-05 01:33:05] NOTICE[22921]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'fop2admin'
[2014-08-05 01:33:07] NOTICE[22922]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'livechat'
[2014-08-05 01:33:07] NOTICE[22922]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'livechat'
[2014-08-05 01:33:08] NOTICE[22923]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'admin_fax'
[2014-08-05 01:33:08] NOTICE[22923]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin_fax'
[2014-08-05 01:33:10] NOTICE[22924]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'mxmluser'
[2014-08-05 01:33:10] NOTICE[22924]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'mxmluser'
[2014-08-05 01:33:12] NOTICE[22925]: acl.c:702 ast_apply_acl: Manager User ACL: Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:33:12] NOTICE[22925]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:33:12] NOTICE[22925]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:33:13] NOTICE[22926]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'fax'
[2014-08-05 01:33:13] NOTICE[22926]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'fax'
[2014-08-05 01:33:15] NOTICE[22927]: acl.c:702 ast_apply_acl: Manager User ACL: Rejecting '212.52.131.7' due to a failure to pass ACL '(BASELINE)'
[2014-08-05 01:33:15] NOTICE[22927]: manager.c:2909 authenticate: 212.52.131.7 failed to pass IP ACL as 'admin'
[2014-08-05 01:33:15] NOTICE[22927]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'admin'
[2014-08-05 01:33:16] NOTICE[22928]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'meetme'
[2014-08-05 01:33:16] NOTICE[22928]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'meetme'
[2014-08-05 01:33:18] NOTICE[22929]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'meetme'
[2014-08-05 01:33:18] NOTICE[22929]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'meetme'
[2014-08-05 01:33:19] NOTICE[22930]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'maint'
[2014-08-05 01:33:19] NOTICE[22930]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'maint'
[2014-08-05 01:33:21] NOTICE[22931]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'maint'
[2014-08-05 01:33:21] NOTICE[22931]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'maint'
[2014-08-05 01:33:22] NOTICE[22932]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'phone'
[2014-08-05 01:33:22] NOTICE[22932]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'phone'
[2014-08-05 01:33:24] NOTICE[22933]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'event'
[2014-08-05 01:33:24] NOTICE[22933]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'event'
[2014-08-05 01:33:25] NOTICE[22934]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'panel'
[2014-08-05 01:33:25] NOTICE[22934]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'panel'
[2014-08-05 01:33:27] NOTICE[22935]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'panel'
[2014-08-05 01:33:27] NOTICE[22935]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'panel'
[2014-08-05 01:33:28] NOTICE[22936]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'ahn'
[2014-08-05 01:33:28] NOTICE[22936]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'ahn'
[2014-08-05 01:33:30] NOTICE[22937]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'smweb'
[2014-08-05 01:33:30] NOTICE[22937]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'smweb'
[2014-08-05 01:33:31] NOTICE[22938]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'queuemanager'
[2014-08-05 01:33:31] NOTICE[22938]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'queuemanager'
[2014-08-05 01:33:33] NOTICE[22939]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'queuemanager'
[2014-08-05 01:33:33] NOTICE[22939]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'queuemanager'
[2014-08-05 01:33:35] NOTICE[22940]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'outcall'
[2014-08-05 01:33:35] NOTICE[22940]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'outcall'
[2014-08-05 01:33:36] NOTICE[22941]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'outcall'
[2014-08-05 01:33:36] NOTICE[22941]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'outcall'
[2014-08-05 01:33:38] NOTICE[22942]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'outbound'
[2014-08-05 01:33:38] NOTICE[22942]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'outbound'
[2014-08-05 01:33:39] NOTICE[22943]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'outcall'
[2014-08-05 01:33:39] NOTICE[22943]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'outcall'
[2014-08-05 01:33:41] NOTICE[22944]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'outcall'
[2014-08-05 01:33:41] NOTICE[22944]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'outcall'
[2014-08-05 01:33:42] NOTICE[22945]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'isymphony'
[2014-08-05 01:33:42] NOTICE[22945]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'isymphony'
[2014-08-05 01:33:44] NOTICE[22946]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'call'
[2014-08-05 01:33:44] NOTICE[22946]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'call'
[2014-08-05 01:33:45] NOTICE[22947]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'caller'
[2014-08-05 01:33:45] NOTICE[22947]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'caller'
[2014-08-05 01:33:47] NOTICE[22948]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'openfire'
[2014-08-05 01:33:47] NOTICE[22948]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'openfire'
[2014-08-05 01:33:48] NOTICE[22949]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'openfire'
[2014-08-05 01:33:48] NOTICE[22949]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'openfire'
[2014-08-05 01:33:50] NOTICE[22950]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'nagios'
[2014-08-05 01:33:50] NOTICE[22950]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'nagios'
[2014-08-05 01:33:51] NOTICE[22951]: manager.c:2906 authenticate: 212.52.131.7 tried to authenticate with nonexistent user 'display'
[2014-08-05 01:33:51] NOTICE[22951]: manager.c:2943 authenticate: 212.52.131.7 failed to authenticate as 'display'
localhost*CLI>
2

Yes a huge hole, someone somewhere in Africa is trying to steal from you, you need a firewall/Intrusion detection system, typically fail2ban for your IDS would catch those, for a Firewall, well you need one :smile: -)

3

Why do you have this stuff open to the internet? And by default doesn’t manager listen on localhost only? Have you changed your configurations?

4

It depends on how you install asterisk, some distro’s DO actually have tcp/5038 listen on 0.0.0.0 , probably a bad idea that should be corrected :wink:

5

And looking at a relatively recent FreePBX distro install, there is no regex in the fail2ban asteriswk jail to catch that exploit, also perhaps something to add if you leave that door open.

6

for @parisienne or anyone similarly exposed, perhaps:-

sed -i 's/^bindaddr./bindaddr = 127.0.0.1/’ /etc/asterisk/manager

will restrict AMI to only localhost connections.

7 
sed -i 's/^bindaddr.*/bindaddr = 127.0.0.1/' /etc/asterisk/manager
8

screwit :slight_smile: edit all /etc/asterisk/manager*.conf files to not bind to 0.0.0.0

9

all manager users are set to:

deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0

on the distro

10

I moved 7 posts to a new topic: Distro Manager and listening services

11

I moved a post to an existing topic: Distro Manager and listening services

12

Looks to be a bug, looking into it.

No doubt a good idea

13

Thank you for your answers.

I just see them and i will check all that this afternoon. Luckily, this asterisk is not connected to the provider as my issue here as not been set yet. (still need help for that !!!)

Now i have another question.

I have all the time this on the cli. It doesn’t seem to be a hack (it seem it is the normal process for time condition) but i wanted to be sure. Because when i worked on asterisk directly i had time conditions in my extension.conf but never this kind of log

thank you

-- Attempting call on Local/s@tc-maint for application NoCDR() (Retry 1)
    -- Executing [s@tc-maint:1] NoCDR("Local/s@tc-maint-00000c3f;2", "") in new stack
    -- Called s@tc-maint
    -- Executing [s@tc-maint:2] Set("Local/s@tc-maint-00000c3f;2", "TCMAINT=RETURN") in new stack
    -- Executing [s@tc-maint:3] Gosub("Local/s@tc-maint-00000c3f;2", "timeconditions,1,1()") in new stack
    -- Executing [1@timeconditions:1] Set("Local/s@tc-maint-00000c3f;2", "DB(TC/1/INUSESTATE)=INUSE") in new stack
    -- Executing [1@timeconditions:2] Set("Local/s@tc-maint-00000c3f;2", "DB(TC/1/NOT_INUSESTATE)=NOT_INUSE") in new stack
    -- Executing [1@timeconditions:3] GotoIfTime("Local/s@tc-maint-00000c3f;2", "09:00-18:00,mon-fri,1-31,jan-dec?truestate") in new stack
    -- Goto (timeconditions,1,11)
    -- Executing [1@timeconditions:11] GotoIf("Local/s@tc-maint-00000c3f;2", "0?falsegoto") in new stack
    -- Executing [1@timeconditions:12] ExecIf("Local/s@tc-maint-00000c3f;2", "0?Set(DB(TC/1)=)") in new stack
    -- Executing [1@timeconditions:13] Set("Local/s@tc-maint-00000c3f;2", "DEVICE_STATE(Custom:TC1)=NOT_INUSE") in new stack
    -- Executing [1@timeconditions:14] ExecIf("Local/s@tc-maint-00000c3f;2", "0?Set(NOT_INUSE)") in new stack
    -- Executing [1@timeconditions:15] GotoIf("Local/s@tc-maint-00000c3f;2", "0?app-announcement-1,s,1") in new stack
    -- Executing [1@timeconditions:16] Set("Local/s@tc-maint-00000c3f;2", "TCSTATE=true") in new stack
    -- Executing [1@timeconditions:17] Return("Local/s@tc-maint-00000c3f;2", "") in new stack
    -- Executing [s@tc-maint:4] System("Local/s@tc-maint-00000c3f;2", "/var/lib/asterisk/bin/schedtc.php 60 /var/spool/asterisk/outgoing 0") in new stack
    -- Executing [s@tc-maint:5] Answer("Local/s@tc-maint-00000c3f;2", "") in new stack
    -- Local/s@tc-maint-00000c3f;1 answered
       > Launching NoCDR() on Local/s@tc-maint-00000c3f;1
  == Spawn extension (tc-maint, s, 5) exited non-zero on 'Local/s@tc-maint-00000c3f;2'
[2014-08-07 13:45:00] NOTICE[5146]: pbx_spool.c:402 attempt_thread: Call completed to Local/s@tc-maint
14

I have seen this in relation to the time conditions module before. Try uninstalling the module, reloading FreePBX, and then re-installing it. I’ve not had the inclination yet to try and figure out why it happens.

15

Hello Miken.

I actually use the time condition module and i need it.

But what was odd is that on asterisk (before without freepbx) i used also time conditions in my extension.conf and i never had such log.