I agree on the linksys. When I failed on the microtik vpn, this was already on site and worked. On the other site I have an edgewater and will be replacing the linksys with one as well. Mikrotik had a big exploit 7 or 8 months ago.
My guess is they accessed the system via http access with some sort of php vulnerability. You probably had http access either on port 80 or another http port without source port forwarding.
Although with this hack you can’t be sure whether someone just hacked into your GUI and put the malicious dial plan into extensions_custom.conf or if your server got infected with code that will be regenerating this dial plan again (If e.g. you have had SSH open as well).
If the latter, things won’t be solved with locking down the ports after it’s happened.
HMM Maybe the linksys was hacked. That would allow access through port 80.
avayax Point taken. I may want to rebuild this from the ground up.
Thanks for all of your replies. I am fairly new to this forum and it is great to have the support. I hope I can be of help myself in the future.
So did about every maker router maker last year. That whole FBI report about 500,000 routers being open. Numerous router makers have had exploits, you are failing to note that in all of those cases Mikrotik had already caught the issues and resolved them. Also many of those vunls where based on things that should have never been opened to the public to start with. So while there were exploits that did need to be fixed many of those impacted by them were already running their setups wrong and had things they shouldn’t have exposed.
Again, what is your current setup overview?
I have a 2 site setup. Site A where the server is located uses the linksys router. I use port forwarding for the phone registration and the administrative access. I do not have port forwarding for ssh. I use a nonstandard port for the admin access that is port forwarded to port 80 on the inside. I use a port other then 5060 for registration. The second site has a Edgewater router that has no port forwarding enabled. 8 phones on each side.
I use fairly strong passwords on all that I have set.
OK so you have a PBX hosted some where? Where is that at because this is sounding like there is a lot of NAT involved. I take it Site B is the client side where their phones are, correct?
The client has 2 locations. The PBX is hosted at location A with 8 phones and location B with 8 phones registers back to location A.
What ports do you have forwarded to the PBX, and are they publicly accessible?
Hi.
Make sure your server is up to date, because if you never use the update, you can expose your server in the case where there’s any security issues on Asterisk, Freepbx, MySQL, PHP…etc
Read this link to get some informations.
https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities
Next, maybe you could improve the firewall rules and accept only the trusted IP address and reject all others.
If you have only a SIP trunking with your ISP, the accept only this one.
If you have some remote extension, prefer to use a VPN like for example: OpenVPN under UDP.
Don’t hesitate to set permit/deny for each one of extension and trunk.
If no need to use any port forwarding, don’t forward them.
To know if your IP address (public) is known : https://www.shodan.io/
Aslo, you can replace useragent data by another information, like for example. IPBX or whatever.
Sip Settings / Chan Sip Settings
useragent=a_name
If any hacker try to find all Freepbx servers and make a list for all potential attacks, your server might not be in this one.
I’ve had some Linksys routers, and with DD-WRT it’s better than the original firmware.
Just an idea like that.
1 Like
Thank you Frank. This is what I was looking for.
You are Welcome 
Hmmm I forgot.
aditionally, if you open a port 65060 to 5060 under UDP, this way doesn’t protect any SIP attacks.
There’s several tools which are able to scan a range of ports on any IP address and send some SIP requests, or can detect what’s the service used behind. (telnet, http, ssh, …Etc).
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.