Got Hacked From Israel!

Hi,

I cannot believe how we got hacked but I am thankful to the FreePBX and Schoomze support and management who have helped me vastly!

I am still trying to figure out how we got hacked, which is why I need some assistance from the community. As far as I can see Freepbx GUI hasn’t had any user admin added or passwords changed. The Asterisk box wasn’t hacked into as far as I am aware but I would like to know how to check this.

Basically, the hacker started on the 9th of April and finally succeeded on the 14th. “He” was able to make thousands of international calls to premium rate numbers.

I was made aware of this by our Telco Provider, BT who have blocked all international outbound calls. All our passwords have been changed, however the cheek of it is that the hacker has still persisted to hack in.

I have since installed rkhunter but dont know how to modify it to our needs as I am not a techie. We are a very small company with 5 staff and we have an external IT consultant who has very limited knowledge of Asterisk.

I want to know do I check how he got in and how I can find him!

This is the log file of the hackster:

2014-04-16 14:34:27] VERBOSE[16828] netsock2.c: == Using SIP RTP TOS bits 184
[2014-04-16 14:34:27] VERBOSE[16828] netsock2.c: == Using SIP RTP CoS mark 5
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:1] NoOp(“SIP/xx.xxx.xxx.xx-000000d6”, “Received incoming SIP connection from unknown peer to 00972592891004”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:2] Set(“SIP/xx.xxx.xxx.xx-000000d6”, “DID=00972592891004”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:3] Goto(“SIP/xx.xxx.xxx.xx-000000d6”, “s,1”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Goto (from-sip-external,s,1)
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:1] GotoIf(“SIP/xx.xxx.xxx.xx-000000d6”, “0?checklang:noanonymous”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Goto (from-sip-external,s,5)
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:5] Set(“SIP/xx.xxx.xxx.xx-000000d6”, “TIMEOUT(absolute)=15”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] func_timeout.c: Channel will hangup at 2014-04-16 14:34:42.528 BST.
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:6] Log(“SIP/xx.xxx.xxx.xx-000000d6”, "WARNING,“Rejecting unknown SIP connection from 204.12.193.10"”) in new stack
[2014-04-16 14:34:27] WARNING[20339] Ext. s: “Rejecting unknown SIP connection from 204.12.193.10”
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:7] Answer(“SIP/xx.xxx.xxx.xx-000000d6”, “”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: == Spawn extension (from-sip-external, s, 7) exited non-zero on ‘SIP/xx.xxx.xxx.xx-000000d6’
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: – Executing [[email protected]:1] Hangup(“SIP/xx.xxx.xxx.xx-000000d6”, “”) in new stack
[2014-04-16 14:34:27] VERBOSE[20339] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xx.xxx.xxx.xx-000000d6’

Oh my you have the very rare and often fatal Menachem Begin trojan.

It can’t be eradicated by any tool other than the “Camp David” software.

It works by finding extensions and making phone calls on servers that do not have secure SIP credentials.

@SkykingOH Can you elaborate for peeps like me who are still learning about Asterisk?

"It works by finding extensions and making phone calls on servers that do not have secure SIP credentials"

    • Are you refering to extensions without passwords or weak ones
    • No route Password on out going routes

Also with regards to hardening Asterisk, If 

    • Allow SIP Guests = No
    • Allow Anonymous Inbound SIP Calls = No

Does this mean we wont see the following in the call logs?

Many thanks

2014-04-16 21:16:02   1397679362.1560 SIP 1111110   Answer s   ANSWERED 00:00        
2014-04-16 21:16:00   1397679360.1559 SIP 1111110   Wait s   ANSWERED 00:01        
2014-04-16 21:15:58   1397679358.1558 SIP 1111110   Answer s   ANSWERED 00:01        
2014-04-16 21:15:55   1397679355.1557 SIP 1111110   Wait s   ANSWERED 00:01        
2014-04-16 21:15:54   1397679354.1556 SIP 1111110   Wait s   ANSWERED 00:00        
2014-04-16 19:38:23   1397673503.1555 SIP 1111101   Answer s   ANSWERED 00:00        
2014-04-16 19:38:21   1397673501.1554 SIP 1111101   Answer s   ANSWERED 00:00        
2014-04-16 19:38:18   1397673498.1553 SIP 1111101   Answer s   ANSWERED 00:01        
2014-04-16 19:38:18   1397673498.1552 SIP 1111101   Answer s   ANSWERED 00:00        
2014-04-16 19:38:15   1397673495.1551 SIP 1111101   Answer s   ANSWERED 00:00        
2014-04-16 18:00:36   1397667636.1550 SIP 1111011   Answer s   ANSWERED 00:00        
2014-04-16 18:00:33   1397667633.1549 SIP 1111011   Answer s   ANSWERED 00:01        
2014-04-16 18:00:31   1397667631.1548 SIP 1111011   Answer s   ANSWERED 00:00        
2014-04-16 18:00:28   1397667628.1547 SIP 1111011   Wait s   ANSWERED 00:00        
2014-04-16 18:00:25   1397667625.1546 SIP 1111011   Answer s   ANSWERED 00:00        
2014-04-16 16:23:13   1397661793.1545 SIP 1110111   Answer s   ANSWERED 00:00        
2014-04-16 16:23:11   1397661791.1544 SIP 1110111   Answer s   ANSWERED 00:01        
2014-04-16 16:23:08   1397661788.1543 SIP 1110111   Answer s   ANSWERED 00:00        
2014-04-16 16:23:07   1397661787.1542 SIP 1110111   Answer s   ANSWERED 00:00        
2014-04-16 16:23:05                            

This has been discussed Ad Nauseum. You also didn’t acknowledge my Begin joke.

I was referring to extensions with weak secrets. Trunks with weak secrets would not be an issue unless they are dynamic.

Of course there is always the issue as to why the server is wide open to the Internet without any access controls.

How was it installed? If you had used our distro an IDS, Falil2ban is included.

Sorry, it was late here.

    • On my server I haven't any weak passwords
    • I only recently bcame aware of the "allow SIP Guests" option
    • Yes I used your distro, was vaguely aware of Fail2ban but haven't a clue how to use it

Which is why I asked the questions.

Any links would be appreciated, tyia

Have to admit that was funny :slight_smile:

We have very secure passwords on our SIP lines, including extensions but it seems that is what has happened here. Whoever hacked in was going through the extensions but it took one week before the person was successful.

Thing is we have a gateway (samsung box) which our telco has provided. So am not sure how this person hacked in.

Forgot to mention, we have a Dahdi Digium card, so there are no secrets on our trunk.

Is there a way to track the hacker back?

I don’t understand what you mean trace the hacker back?

You want to find their IP?

If you look at the logs you sent the calls are coming unauthenticated via SIP. You must still be allowing guests.

Have you been to our support wiki yet? Documentation on fail2ban and other aspects of security can be found.

We always had the guests on but anonymous off past 18 months and we never had an issue. I closed SIP guests yesterday.

I want to find their IP and much more. I also want to know how they hacked into us.

The unfortunate truth is that you were running a voip service on udp/5060 without any protection.

That is exactly what I thought and have been in contact with our telco provider about this.

How can I protect the udp/5060 port? I have since closed it and our calls are working fine.

One effective solution is to change the SIP port to something else, the drive-bys only look for a very limited range, also add a firewall that detects port scanning like CSF, and an effect IDS like Fail2Ban.

Thanks dicko for the excellent advice. We are changing our router to a more powerful one. However our telco provider has put in a Samsung Unigate router in which has its own firewall.

As mentioned previously, I am not a techie, but if the gateway (Unigate) has its own firewall between our firewall and the Asterisk box, how did the hacker manage to get in? I therefore dont understand the use of the Unigate. Is it needed??

A firewall is only as good as it’s programming, allowing UDP/5060 in opens you up to a whole slew of attacks unless further restricted by allowed networks, as these are discovered they are usually patched or at least exposed by Asterisk in short order. Also be aware of “man in the middle” attacks where the breach is indirectly through on one of your localnet machines or possibly an externally registered extension.

You definately have given me some food for thought. I have installed RKHunter as opposed to Fail2Ban. Should I also install Fail2Ban?

The new router/firewall has got DoS defense setup which has got port scan detection. Am not sure if I should mention here which one we have bought.

What about the SIP Trunking Gateway our telco (BT) has provided? I still dont understand why they have installed this.

RKHunter or something like it is essential, but has limited effectiveness unless installed before any thing else, it can catch changes but matches against the state of the machine when it is installed (when you run prop-update). It does not really help for SIP attacks but will help prevent attacks that remain dormant in your system and wake up on schedule, useally by a cron job, occasionally by “at”. Very often the provider’s box is used to re-present your external network that comes to you over a “private” route they control, if you have access to it you can see what they are doing if not sometimes a traceroute will reveal layer 3 paths. Some boxes re-present you a layer 3 network over a layer 2 infra-structure.

If you also had log of one of the hackers successful calls we could tell you the exact attack vector.

People confuse the function of firewalls.

The core function of a firewall is to block or pass traffic based on rules.

Some firewalls are dumb and those rules are simply IP services like TCP, UDP, ICMP and the port number. Most map services like HTTP, SSH. SMTP etc so you can say all inbound SMTP traffic is allowed to host x.x.x.x

The next step of firewall is more of an IDS and has application signatures, it can pass or block whole service groups, most of these have gone away and are now full statefull inspection boxes.

A statefull inspection examines the data contextually and contains signatures of attacks, viruses and other bad stuff. The key to these devices is the constant update of the signature database.

Most firewalls also block ping sweeps, syn attacks and the like.

When you say “shouldn’t by firewall have stopped it” makes me think you don’t understand the role of the firewall. More than likely you made a rule to allow your SIP traffic in (do you have remote extensions) and the exploiter walked right in through the open door.