Hi,
I cannot believe how we got hacked but I am thankful to the FreePBX and Schoomze support and management who have helped me vastly!
I am still trying to figure out how we got hacked, which is why I need some assistance from the community. As far as I can see Freepbx GUI hasn’t had any user admin added or passwords changed. The Asterisk box wasn’t hacked into as far as I am aware but I would like to know how to check this.
Basically, the hacker started on the 9th of April and finally succeeded on the 14th. “He” was able to make thousands of international calls to premium rate numbers.
I was made aware of this by our Telco Provider, BT who have blocked all international outbound calls. All our passwords have been changed, however the cheek of it is that the hacker has still persisted to hack in.
I have since installed rkhunter but dont know how to modify it to our needs as I am not a techie. We are a very small company with 5 staff and we have an external IT consultant who has very limited knowledge of Asterisk.
I want to know do I check how he got in and how I can find him!
This is the log file of the hackster:
2014-04-16 14:34:27] VERBOSE[16828] netsock2.c: == Using SIP RTP TOS bits 184
[2014-04-16 14:34:27] VERBOSE[16828] netsock2.c: == Using SIP RTP CoS mark 5
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [00972592891004@from-sip-external:1] NoOp(“SIP/xx.xxx.xxx.xx-000000d6”, “Received incoming SIP connection from unknown peer to 00972592891004”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [00972592891004@from-sip-external:2] Set(“SIP/xx.xxx.xxx.xx-000000d6”, “DID=00972592891004”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [00972592891004@from-sip-external:3] Goto(“SIP/xx.xxx.xxx.xx-000000d6”, “s,1”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Goto (from-sip-external,s,1)
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/xx.xxx.xxx.xx-000000d6”, “0?checklang:noanonymous”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Goto (from-sip-external,s,5)
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/xx.xxx.xxx.xx-000000d6”, “TIMEOUT(absolute)=15”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] func_timeout.c: Channel will hangup at 2014-04-16 14:34:42.528 BST.
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/xx.xxx.xxx.xx-000000d6”, "WARNING,“Rejecting unknown SIP connection from 204.12.193.10"”) in new stack
[2014-04-16 14:34:27] WARNING[20339] Ext. s: “Rejecting unknown SIP connection from 204.12.193.10”
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [s@from-sip-external:7] Answer(“SIP/xx.xxx.xxx.xx-000000d6”, “”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: == Spawn extension (from-sip-external, s, 7) exited non-zero on ‘SIP/xx.xxx.xxx.xx-000000d6’
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/xx.xxx.xxx.xx-000000d6”, “”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xx.xxx.xxx.xx-000000d6’