FreePBX Fraud attack

Hi,

Need help checking what happen here. My current setup is Twilio Sip Trunk -> FreePBX

I am using WAN ip in my FreePBX and enabled Firewall and Intruder alert. Someone is registering in my PBX for several hours i haven’t seen logs to which he successfully registered SIP to my PBX. After that he uses all my credits in twilio to spam calls to certain numbers. My PBX is not accessible via other IP except if it pass through my gateway.

1. What do you think happen here?
2. How can i prevent this from happening again?

Thankyou

Asterisk does not require registration to make calls (though each call must be authenticated).

Do the fraudulent calls appear in your CDRs? In the Asterisk log (including older logs in /var/log/asterisk/full* )?

If not, possibly your Twilio account was compromised, in which case Twilio should have records showing calls made from an IP address other than yours (not involving the PBX at all).

If Twilio shows the calls were made from your IP but there is no sign of them in any Asterisk log, the attacker likely somehow gained root access to your system and covered his tracks. You will have to start over with a new installation, possibly restoring from a backup that you know was not compromised.

If you do have logs, tell us what you see and we’ll help find out what went wrong.

Hi Stewart,

Thankyou for your response. All Fraud calls was visible in PBX CDR and in Twilio CDR. What was missing was Call logs from Feb 8 - 10 which is kinda weird.

On which dates were the fraudulent calls made?

Please post the output of
ll /var/log/asterisk/f*

also

ls -l /tmp

Hi Dicko and Stewart,

Please see details.

[root@freepbx ~]# ll /var/log/asterisk/f*
-rw-r----- 1 asterisk asterisk 744725 Feb 15 10:02 /var/log/asterisk/fail2ban
-rw-rw-r-- 1 asterisk asterisk 8147803 Feb 5 03:31 /var/log/asterisk/fail2ban -20210205
-rw-rw-r-- 1 asterisk asterisk 8148715 Feb 6 03:29 /var/log/asterisk/fail2ban -20210206
-rw-rw-r-- 1 asterisk asterisk 4282341 Feb 7 03:21 /var/log/asterisk/fail2ban -20210207
-rw-r----- 1 asterisk asterisk 5233011 Feb 12 03:16 /var/log/asterisk/fail2ban -20210212
-rw-r----- 1 asterisk asterisk 6082178 Feb 13 03:46 /var/log/asterisk/fail2ban -20210213
-rw-r----- 1 asterisk asterisk 2642772 Feb 14 03:44 /var/log/asterisk/fail2ban -20210214
-rw-r----- 1 asterisk asterisk 2559199 Feb 15 03:11 /var/log/asterisk/fail2ban -20210215
-rw-rw-r-- 1 asterisk asterisk 209842 Feb 13 08:57 /var/log/asterisk/firewall .log
-rw-rw-r-- 1 asterisk asterisk 74412190 Feb 15 10:02 /var/log/asterisk/freepbx. log
-rw-rw-r-- 1 asterisk asterisk 106566923 Sep 26 03:50 /var/log/asterisk/freepbx. log-20200926
-rw-rw-r-- 1 asterisk asterisk 105793977 Oct 11 03:24 /var/log/asterisk/freepbx. log-20201011
-rw-rw-r-- 1 asterisk asterisk 105855981 Oct 26 03:20 /var/log/asterisk/freepbx. log-20201026
-rw-rw-r-- 1 asterisk asterisk 105979672 Nov 13 03:14 /var/log/asterisk/freepbx. log-20201113
-rw-rw-r-- 1 asterisk asterisk 105868980 Dec 11 03:44 /var/log/asterisk/freepbx. log-20201211
-rw-rw-r-- 1 asterisk asterisk 105741961 Jan 8 03:44 /var/log/asterisk/freepbx. log-20210108
-rw-rw-r-- 1 asterisk asterisk 106524577 Feb 5 03:31 /var/log/asterisk/freepbx. log-20210205
-rw-rw-r-- 1 asterisk asterisk 42037071 Feb 15 09:59 /var/log/asterisk/freepbx_ security.log
-rw-r----- 1 asterisk asterisk 286 Feb 15 03:11 /var/log/asterisk/full
-rw-rw-r-- 1 asterisk asterisk 0 Aug 7 2020 /var/log/asterisk/full.0
-rw-rw-r-- 1 asterisk asterisk 0 Aug 6 2020 /var/log/asterisk/full.1
-rw-rw-r-- 1 asterisk asterisk 0 Aug 5 2020 /var/log/asterisk/full.2
-rw-rw-r-- 1 asterisk asterisk 3424398 Feb 5 03:32 /var/log/asterisk/full-202 10205
-rw-rw-r-- 1 asterisk asterisk 3087094 Feb 6 03:29 /var/log/asterisk/full-202 10206
-rw-rw-r-- 1 asterisk asterisk 882458 Feb 7 03:22 /var/log/asterisk/full-202 10207
-rw-rw-r-- 1 asterisk asterisk 416506 Feb 12 03:16 /var/log/asterisk/full-202 10212
-rw-r----- 1 asterisk asterisk 358 Feb 13 03:46 /var/log/asterisk/full-202 10213
-rw-r----- 1 asterisk asterisk 358 Feb 14 03:44 /var/log/asterisk/full-202 10214
-rw-r----- 1 asterisk asterisk 358 Feb 15 03:11 /var/log/asterisk/full-202 10215
-rw-rw-r-- 1 asterisk asterisk 0 Aug 4 2020 /var/log/asterisk/full.3
-rw-rw-r-- 1 asterisk asterisk 0 Aug 3 2020 /var/log/asterisk/full.4
-rw-rw-r-- 1 asterisk asterisk 0 Aug 2 2020 /var/log/asterisk/full.5
-rw-rw-r-- 1 asterisk asterisk 0 Jul 30 2020 /var/log/asterisk/full.6
-rw-rw-r-- 1 asterisk asterisk 0 Jul 29 2020 /var/log/asterisk/full.7
-rw-rw-r-- 1 asterisk asterisk 0 Jul 28 2020 /var/log/asterisk/full.8

[root@freepbx ~]# ls -l /tmp
total 528
-rwxrwxrwx 1 asterisk asterisk 0 Aug 6 2020 cron.error
-rw------- 1 root root 102448 Feb 6 09:16 phpfyVNIO
-rw------- 1 root root 102448 Feb 13 08:57 phpYjzHC3
-rw-r–r-- 1 asterisk asterisk 299092 Feb 15 10:03 reader.log
drwx------ 3 root root 17 Feb 11 16:17 systemd-private-6e3a689c911845e19aaa0ba39bb8ecb0-httpd.servi ce-mxwkwo
drwx------ 3 root root 17 Feb 11 16:17 systemd-private-6e3a689c911845e19aaa0ba39bb8ecb0-mariadb.ser vice-44US4v
drwx------ 3 root root 17 Jan 7 16:59 systemd-private-a43cff33157548359e3dcfd0c6cefa6f-httpd.servi ce-BlM9f8
drwx------ 3 root root 17 Feb 11 16:20 systemd-private-ad0096cb867f437ca35f8c9b01cb9f23-chronyd.ser vice-F9xhtW
drwx------ 3 root root 17 Feb 11 16:20 systemd-private-ad0096cb867f437ca35f8c9b01cb9f23-httpd.servi ce-5saACT
drwx------ 3 root root 17 Feb 11 16:20 systemd-private-ad0096cb867f437ca35f8c9b01cb9f23-mariadb.ser vice-3CjmGa
drwx------ 3 root root 17 Feb 11 16:20 systemd-private-ad0096cb867f437ca35f8c9b01cb9f23-mongod.serv ice-cRLvLr

Fraud calls was made on February 8

I think it’s likely that the log file deletions were done by the attacker. If the log content is still on the disk somewhere, it might be useful for forensic purposes (especially if this is a ‘new’ vulnerability), so avoid wiping it out if possible.

Cloud or on-site? If on-site, physical or virtual? What hardware firewall, if any, between PBX and the internet? What settings in FreePBX firewall?

Was the PBX current with all security updates? If not, when was it last updated? What forms of backup do you have?

If feasible, I would spin up a new PBX using your most recent backup before Feb 8, and test it for accessibility from the outside (SSH, admin GUI, UCP, provisioning, SIP). Scan for any open ports. If you left something wide open by mistake, it’s probably not worth it to find out exactly how the attacker got in, just start over with a new install and lock it down properly.

OTOH, if your test system seems secure, there may be some useful logs on the compromised system covering Feb. 8, e.g. Apache logs, system / security logs, etc. You may be able to recover the deleted files with testdisk or similar. Or, you may find the missing Asterisk log by searching the raw disk for one of the numbers the attacker called. It’s best if you can access the compromised file system from another clean system, or make an image copy to work on.

Knowing the details of your setup, we may be able to give more specific advice.

This is an on-site physical device. Currently its not passing through any firewall between PBX and Internet only the built in firewall by FreePBX was enabled.

FreePBX Settings:

Responsive Firewall: Enabled
Legacy Chan Sip: Enabled
Intrusion Detection: Enabled
IP’s in Network Tab are our WAN IP’s, Twilio IP’s only
FreePBX Version: 15.0.17.24
Askterisk Version: 16.11.1

What you are stating looks good. Can you scan for open ports from an outside address? (This isn’t a complete test, because the attacker may have closed the port he came in through.)

Are the logs in /var/log/httpd intact? If so, anything interesting around the time of the first call?

How about /var/log/secure* ? If so, any sshd logins around that time?

What do the CDRs show? Straightforward calls from an existing extension, or something else? What numbers did the attacker call? Any incoming calls just before the outgoing?

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.