Hacked...Please help me understand how...stop it

I have had a problem today with losing service on my switch today, during the time it is down international calls are being made. I noticed from call logs that a extention registers from a forighn IP address and then after this point the system appears to be down…

see log…

[2012-07-20 20:08:15] VERBOSE[2954] chan_sip.c: – Registered SIP ‘6214’ at 37.8.29.64:10966
[2012-07-20 20:08:16] VERBOSE[2954] netsock2.c: == Using SIP RTP TOS bits 184
[2012-07-20 20:08:16] VERBOSE[2954] netsock2.c: == Using SIP RTP CoS mark 5
[2012-07-20 20:08:16] VERBOSE[10142] pbx.c: – Executing [[email protected]:1] ResetCDR(“SIP/6214-00000045”, “”) in new stack
[2012-07-20 20:08:16] VERBOSE[10142] pbx.c: – Executing [00[email protected]:2] NoCDR(“SIP/6214-00000045”, “”) in new stack
[2012-07-20 20:08:16] VERBOSE[10142] pbx.c: – Executing [[email protected]:3] Progress(“SIP/6214-00000045”, “”) in new stack
[2012-07-20 20:08:16] VERBOSE[10142] pbx.c: – Executing [[email protected]:4] Wait(“SIP/6214-00000045”, “1”) in new stack
[2012-07-20 20:08:17] VERBOSE[10142] pbx.c: – Executing [[email protected]:5] Progress(“SIP/6214-00000045”, “”) in new stack
[2012-07-20 20:08:17] VERBOSE[10142] pbx.c: – Executing [[email protected]:6] Playback(“SIP/6214-00000045”, “silence/1&cannot-complete-as-dialed&check-number-dial-again,noanswer”) in new stack
[2012-07-20 20:08:17] VERBOSE[10142] file.c: – <SIP/6214-00000045> Playing ‘silence/1.ulaw’ (language ‘en’)
[2012-07-20 20:08:18] VERBOSE[10142] file.c: – <SIP/6214-00000045> Playing ‘cannot-complete-as-dialed.ulaw’ (language ‘en’)
[2012-07-20 20:08:21] VERBOSE[10142] file.c: – <SIP/6214-00000045> Playing ‘check-number-dial-again.ulaw’ (language ‘en’)
[2012-07-20 20:08:23] VERBOSE[10142] pbx.c: – Executing [[email protected]:7] Wait(“SIP/6214-00000045”, “1”) in new stack
[2012-07-20 20:08:24] VERBOSE[10142] pbx.c: – Executing [[email protected]:8] Congestion(“SIP/6214-00000045”, “20”) in new stack
[2012-07-20 20:08:24] WARNING[10142] channel.c: Prodding channel ‘SIP/6214-00000045’ failed
[2012-07-20 20:08:24] VERBOSE[10142] pbx.c: == Spawn extension (from-internal, 0014042605391, 8) exited non-zero on ‘SIP/6214-00000045’
[2012-07-20 20:08:24] VERBOSE[10142] pbx.c: – Executing [[email protected]:1] Hangup(“SIP/6214-00000045”, “”) in new stack
[2012-07-20 20:08:24] VERBOSE[10142] pbx.c: == Spawn extension (from-internal, h, 1) exited non-zero on ‘SIP/6214-00000045’

What do I need to do to stop this?

Mark.

Registered SIP ‘6214’ at 37.8.29.64 . . .

diagnose who the guy is . . . .

whois 37.8.29.64

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘37.8.0.0 - 37.8.63.255’

inetnum: 37.8.0.0 - 37.8.63.255
netname: HBSAGAZA
descr: Hadara Gaza BSA
country: PS
admin-c: JT3488-RIPE
admin-c: WK4085-RIPE
tech-c: HT1472-RIPE
status: Assigned PA
mnt-by: Palnet-mnt
source: RIPE # Filtered

person: Hadara Tech
address: RaMallah
phone: +97022403434
nic-hdl: HT1472-RIPE
mnt-by: palnet-MNT
source: RIPE # Filtered

person: Jamal Taweel
address: Hadara Technologies
phone: +9702403434
nic-hdl: JT3488-RIPE
mnt-by: Palnet-mnt
source: RIPE # Filtered

person: Walid Kassab
address: Palestinian Internet Services
address: P. O. BOX 5111 Gaza City, Palestine
phone: +972 8 284 3197
fax-no: +972 8 284 3187
nic-hdl: WK4085-RIPE
mnt-by: PIS-MNTNER
source: RIPE # Filtered

% Information related to ‘37.8.16.0/20AS15975’

route: 37.8.16.0/20
descr: sub-route 1.2 - BSA-GAZA
origin: AS15975
mnt-by: palnet-mnt
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.19 (WHOIS1)

your extension 6214 has been compromised, the palestinian cluster knows it !! CHANGE THAT PASSWORD!!!

These Palestinians are a pain in the ass, they are relentless.

I suggest you deploy a firewall and deny

37.0.0.0/8 for that particular attack.

but wait until tomorrow and they will come from somewhere else so add :-

83.0.0.0/8
172.0.0.0/8
173.0.0.0/8
176.0.0.0/8
188.0.0.0/8
. . . . .

(all brutal, battle ax thinking, networks that host that wasp’s nest)

to your armor.

(these are just the latest few networks that attack my systems)

CSF is one simple to deploy firewall that can help also, only allow udp/tcp (if you need it) on 5060 from your known users and providers, better yet don’t use 5060, there are about 64000 other choices :wink:

Use a log watcher like fail2ban with an up to date set of regex’es for your chosen asterisk.

but if you use both, then make sure your firewall iptables honors your log-watcher tables also.

If you suspect your extension/passwords have been previously compromised ( and here I suggest you have so been penetrated , (ouch! that hurts) ) then go back to all the stuff about security that you perhaps didn’t read the first time around :wink:

regards

dicko

P.S. These attacks allways start with access to your web server on port 80 and/or 443, if there is a hole in it then THEY WILL GET IN! protect it in the same way as you should protect your sip access.

edit

Please understand that this is not a political POV, you will be also attacked by hosts in Eastern Europe, Southern Asia, particularly Chinese Universities but also compromised machines in Comcast and Verizon networks. Caveate Implementor always. . .

Any body who cares , just check the preliminary accesses in /var/log/(apache2/httpd)/* logs before they get you . . . . Actually if you care, you should be checking those logs all the time anyway :slight_smile: .

Thanks.

Is there any way I can restrict access to only extensions only in my own IP range rather than trying to lock all others?

Mark.

I have changed all passwords for extensions now as well as the password to my voip provider (just in case). I have also changed the web log in password. I have this available from the outside world on port 88, but I only switch it on when I need it extrnally. I can only imagine I must have left it available from the net at some point.
Yikes!

I am looking into a better firewall, but hope the passwords is good enough for now.

Thanks.

Sorry passwords not good enough, tools like sip vicious exploit many other “holes” in asterisk/sip protocol

Is there any way I can restrict access to only extensions only in my own IP range >rather than trying to lock all others?

logically that sounds like the same thing to me ;-), if you choose CSF it’s very easy, don’t allow 5060 but allow your ip address ranges for phones and providers. The same concept for any other firewall.

Actually you want to add allow line with the permitted networks/traffic then do an IP deny any any.

If you are not comfortable with the Linux based firewalls use an external.

Do you like Cisco? You can pick up a PIX running ASA code for under $200. Also Juniper Netscreen devices are give away prices on the secondary market and they also have a very simple web based policy editor.

in freepbx sip ext configuration
deny 0.0.0.0/0.0.0.0.0
permit your_own_IP_range/your_own_netmask

my turn for huh? :wink:

In CSF (easy to use and understand) iptables is abstracted to a human understandable format, it is comfortable to use and costs less then $200.

I suggested that nothing is allowed but traffic from your known hosts.

That way then /recordings and sip will only work from those hosts (no vpn or other machinations needed)

deny /admin and other places as you see fit, but really the CSF rules are very easy to understand and implement, and come with a web based editor also (Webmin), they also have a cellphone based quickie allow/deny for if your rules are disobeyed. That is worth more than 200 dollars for anyone who ever got hit and didn’t know it for a few hours:-)

The problem with any firewall truly is that many users implement a permissive policy from the beginning that will often hurt. I am suggesting that one Denies everything from anybody (but yourself) first then open up pinholes to suit.

Who would like to form a Kickstarter and hire a Ex-Mosad team in Israel to find these guys and make an example of them? Im serious about this. I want revenge

I updated a blacklist/whitelist script to suite my needs that I’m willing to share:

#!/bin/bash

WHITELIST=/root/iptables/IP_Whitelist.db
BLACKLIST=/root/iptables/IP_Blacklist.db
#ALLOWED="22 80 3306"

# Ports used: 
# 22 - SSH    
# 80 - HTTP       
# 3306 - MySQL



# Flush existing Blacklist & Whitelist
iptables -D INPUT -j WHITELIST
iptables -D INPUT -j BLACKLIST
iptables -F BLACKLIST
iptables -F WHITELIST
iptables -X BLACKLIST
iptables -X WHITELIST



# Allow ALL traffic from hosts in $WHITELIST
iptables -N WHITELIST
iptables -I INPUT 1 -j WHITELIST
for x in `cat $WHITELIST`; do 
echo "Permitting $x..."
iptables -A WHITELIST -t filter -s $x -j ACCEPT
done

# Block all traffic from IP ranges in $BLACKLIST
iptables -N BLACKLIST
iptables -I INPUT 2 -j BLACKLIST
for x in `cat $BLACKLIST`; do 
echo "Blocking $x..."

iptables -A BLACKLIST -s $x -j DROP
done

# Allow specific ports in $ALLOWED for trusted hosts
#for port in $ALLOWED; do 
#echo "Accepting port $port..."
#iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT

Just drop this code in a file and put it in /root/iptables/. In that same folder, put a file called IP_Blacklist.db and IP_Whitelist.db. In those db enter the ip’s you want to block or whitelist. Each one on a new line. If it’s a range, just use the appropriate CIDR for that block.

You could just drop a link to the script in /etc/cron.hourly to run that file hourly and update your iptables.