Check if my pbx got compromised

faisalkhan · July 15, 2022, 6:18pm

How can I check if my pbx got compromised?

Where to start and where to end?

lgaetz · July 15, 2022, 7:14pm

Is there a symptom that makes you think there is an issue? If so, what is it?

faisalkhan · July 15, 2022, 7:29pm

I have got too many hits coming for 2 to 3 days and lot of IP got banned.

I want to check and identify any intruder activity live or in the logs and want to take preventive measures before it’s too late

lgaetz · July 15, 2022, 7:32pm

Not sure what ‘too many hits’ means. IPs that are banned will include a reason in the notification, i.e. apache, sip, etc. which will indicate which service has been exposed. Bans are not indicative of an exploit, only of exposed service(s).

david55 · July 15, 2022, 7:36pm

If you are just worried about toll fraud, look at the CDRs for unwanted calls and/or ask your provider for an interim total of chargeable calls. Toll fraud is the normal reason for attacking FreePBX.

If you are worried that rogue software has been installed, that will be quite difficult, especially if you don’t have a complete inventory of files and checksums from before any attack. Most people who think they have had the second type of compromise find it cheaper to re-install. Any checking of checksums, permissions, unexpected files, etc. should really be done by booting from a live DVD, or similar, or by taking the disk out and mounting it in another system.

faisalkhan · July 15, 2022, 7:40pm

they are coming on sip

faisalkhan · July 15, 2022, 7:42pm

I got dozen of these emails flooding my inbox.

The IP 119.160.99.42 has just been banned by Fail2Ban after
6 attempts against SIP on localhost.
The IP 103.145.13.20 has just been banned by Fail2Ban after
5 attempts against SIP on localhost.
The IP 45.134.144.183 has just been banned by Fail2Ban after
5 attempts against SIP on localhost.
The IP 45.93.16.90 has just been banned by Fail2Ban after
5 attempts against SIP on localhost.

david55 · July 15, 2022, 8:12pm

fail2ban only reports failed attempts, so it doesn’t tell you if there was a successful attack let alone whether the attack was toll fraud or an actual malware installation.

dicko · July 16, 2022, 12:05am

sngrep will show all connection attempts to “sip” , if there are more than one ‘msgs’ be worried, if you care to move your listening SIP port away from UDP/5060 you will have less angst

moussa854 · July 16, 2022, 5:46pm

You can use the scripts below to see if your PBX was accessed from untrusted IP address from the GUI and the SSH.

sudo cat /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20
sudo cat /var/log/secure | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | cut -f 11 -d ' '| sort | uniq | tr '\n' ' ' | sort -nr

If you want to see if there has been unsuccessful attempts to access the server, try these scripts:

sudo cat /var/log/secure | grep "Failed password" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | cut -f 11 -d ' '| sort | uniq | tr '\n' ' ' | sort -nr
sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = | sort | uniq | tr '\n' ' ' | sort -nr
sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' | sort | uniq | sort -nr

If you can improve these scripts post back.

system · August 16, 2022, 5:47pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.