Need help checking what happen here. My current setup is Twilio Sip Trunk -> FreePBX
I am using WAN ip in my FreePBX and enabled Firewall and Intruder alert. Someone is registering in my PBX for several hours i haven’t seen logs to which he successfully registered SIP to my PBX. After that he uses all my credits in twilio to spam calls to certain numbers. My PBX is not accessible via other IP except if it pass through my gateway.
Asterisk does not require registration to make calls (though each call must be authenticated).
Do the fraudulent calls appear in your CDRs? In the Asterisk log (including older logs in /var/log/asterisk/full* )?
If not, possibly your Twilio account was compromised, in which case Twilio should have records showing calls made from an IP address other than yours (not involving the PBX at all).
If Twilio shows the calls were made from your IP but there is no sign of them in any Asterisk log, the attacker likely somehow gained root access to your system and covered his tracks. You will have to start over with a new installation, possibly restoring from a backup that you know was not compromised.
If you do have logs, tell us what you see and we’ll help find out what went wrong.
Thankyou for your response. All Fraud calls was visible in PBX CDR and in Twilio CDR. What was missing was Call logs from Feb 8 - 10 which is kinda weird.
I think it’s likely that the log file deletions were done by the attacker. If the log content is still on the disk somewhere, it might be useful for forensic purposes (especially if this is a ‘new’ vulnerability), so avoid wiping it out if possible.
Cloud or on-site? If on-site, physical or virtual? What hardware firewall, if any, between PBX and the internet? What settings in FreePBX firewall?
Was the PBX current with all security updates? If not, when was it last updated? What forms of backup do you have?
If feasible, I would spin up a new PBX using your most recent backup before Feb 8, and test it for accessibility from the outside (SSH, admin GUI, UCP, provisioning, SIP). Scan for any open ports. If you left something wide open by mistake, it’s probably not worth it to find out exactly how the attacker got in, just start over with a new install and lock it down properly.
OTOH, if your test system seems secure, there may be some useful logs on the compromised system covering Feb. 8, e.g. Apache logs, system / security logs, etc. You may be able to recover the deleted files with testdisk or similar. Or, you may find the missing Asterisk log by searching the raw disk for one of the numbers the attacker called. It’s best if you can access the compromised file system from another clean system, or make an image copy to work on.
Knowing the details of your setup, we may be able to give more specific advice.
This is an on-site physical device. Currently its not passing through any firewall between PBX and Internet only the built in firewall by FreePBX was enabled.
FreePBX Settings:
Responsive Firewall: Enabled
Legacy Chan Sip: Enabled
Intrusion Detection: Enabled
IP’s in Network Tab are our WAN IP’s, Twilio IP’s only
FreePBX Version: 15.0.17.24
Askterisk Version: 16.11.1
What you are stating looks good. Can you scan for open ports from an outside address? (This isn’t a complete test, because the attacker may have closed the port he came in through.)
Are the logs in /var/log/httpd intact? If so, anything interesting around the time of the first call?
How about /var/log/secure* ? If so, any sshd logins around that time?
What do the CDRs show? Straightforward calls from an existing extension, or something else? What numbers did the attacker call? Any incoming calls just before the outgoing?