Check if my pbx got compromised

How can I check if my pbx got compromised?

Where to start and where to end?

Is there a symptom that makes you think there is an issue? If so, what is it?

I have got too many hits coming for 2 to 3 days and lot of IP got banned.

I want to check and identify any intruder activity live or in the logs and want to take preventive measures before it’s too late

Not sure what ‘too many hits’ means. IPs that are banned will include a reason in the notification, i.e. apache, sip, etc. which will indicate which service has been exposed. Bans are not indicative of an exploit, only of exposed service(s).

If you are just worried about toll fraud, look at the CDRs for unwanted calls and/or ask your provider for an interim total of chargeable calls. Toll fraud is the normal reason for attacking FreePBX.

If you are worried that rogue software has been installed, that will be quite difficult, especially if you don’t have a complete inventory of files and checksums from before any attack. Most people who think they have had the second type of compromise find it cheaper to re-install. Any checking of checksums, permissions, unexpected files, etc. should really be done by booting from a live DVD, or similar, or by taking the disk out and mounting it in another system.

they are coming on sip

I got dozen of these emails flooding my inbox.

The IP 119.160.99.42 has just been banned by Fail2Ban after
6 attempts against SIP on localhost.
The IP 103.145.13.20 has just been banned by Fail2Ban after
5 attempts against SIP on localhost.
The IP 45.134.144.183 has just been banned by Fail2Ban after
5 attempts against SIP on localhost.
The IP 45.93.16.90 has just been banned by Fail2Ban after
5 attempts against SIP on localhost.

fail2ban only reports failed attempts, so it doesn’t tell you if there was a successful attack let alone whether the attack was toll fraud or an actual malware installation.

sngrep will show all connection attempts to “sip” , if there are more than one ‘msgs’ be worried, if you care to move your listening SIP port away from UDP/5060 you will have less angst :wink:

You can use the scripts below to see if your PBX was accessed from untrusted IP address from the GUI and the SSH.

  • sudo cat /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20
  • sudo cat /var/log/secure | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | cut -f 11 -d ' '| sort | uniq | tr '\n' ' ' | sort -nr

If you want to see if there has been unsuccessful attempts to access the server, try these scripts:

  • sudo cat /var/log/secure | grep "Failed password" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | cut -f 11 -d ' '| sort | uniq | tr '\n' ' ' | sort -nr
  • sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = | sort | uniq | tr '\n' ' ' | sort -nr
  • sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' | sort | uniq | sort -nr

If you can improve these scripts post back.