we had an issue on sunday when our freePBX was misused for making calls to Africa. All the calls originate from one extension (211).
I searched the log files and found an entry but I’m not into freePBX enough to understand, what happened.
Could someone that is more experienced please look at the log entrys and tell me, what exactly happened and where I have to search for the vulnarbility?
I changed passwords for the Trunk, the extensions and the admin Page of the freePBX installation as a first action.
Here are the log entrys for the first call and some lines before the call was initiated:
2641 [2024-12-08 03:12:58] VERBOSE[10980] res_pjsip_registrar.c: Added contact ‘sip:[email protected]:22686;x-ast-orig-host=10.5.0.2:5094’ to AOR ‘211’ with expiration of 180 seconds
2642 [2024-12-08 03:12:58] VERBOSE[26799] res_pjsip/pjsip_configuration.c: Endpoint 211 is now Reachable
2643 [2024-12-08 03:12:58] VERBOSE[26799] res_pjsip/pjsip_options.c: Contact 211/sip:[email protected]:22686;x-ast-orig-host=10.5.0.2:5094 is now Reachable. RTT: 257.577 msec
2644 [2024-12-08 03:13:00] VERBOSE[18023] netsock2.c: Using SIP RTP Audio TOS bits 184
2645 [2024-12-08 03:13:00] VERBOSE[18023] netsock2.c: Using SIP RTP Audio TOS bits 184 in TCLASS field.
2646 [2024-12-08 03:13:00] VERBOSE[18023] netsock2.c: Using SIP RTP Audio CoS mark 5
2647 [2024-12-08 03:13:00] VERBOSE[3541][C-0000042d] pbx.c: Executing [900390924514292@from-internal:1] Macro(“PJSIP/211-00000a87”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
The quoted log lines indicate a successful pjsip registration to extension 211, that’s it. To do that, they would have had to know the SIP secret. Assuming the hacker did not create the extension themselves, there are a number of ways that the SIP secret might be gained, including brute forcing any service exposed to the public. One of the more common methods would be a malicious user successfully downloading a provisioning file, they have SIP secrets in plain text.
Yeah - I didn’t saw any registration in the log. How would they do that? It must have been a brute force attack as we only have two human users on our PBX. I can assure that there was no fishing ivolved.
The passwords were the cryptic ones (random letters&numbers) that freePBX creates. 20 digits. The firewall is configured that it blocks any IP that fails 3 times to login.
I just want to understand what exactly happened and where I have to search for the week point. I changed the SIP passwords to 64 digits and letters, numbers and special characters. But I really don’t know if they had used the passwords at all as there is no login.
With SIP there isn’t really a log in. If you require authentication, every request has to be authenticated. The FreePBX GUI doesn’t allow you to have unauthenticated extensions, although Asterisk does.
If it were a brute force attack, you would expect to see the failed attempts, so I think the passwords have been compromised by other means, possibly by using the provisioning mechanisms.
Register is telling the PABX how to reach the device, not an actual log in.