Hacking attempts on older Freepbxdistro, not on newer

Hi Freepbx,

We have about 20 hosted freepbx distros running.
I also use htaccess to allow only dutch ip addresses for the webinterface.
Now we have strange outbound calls (alot) on 3 older systems with asterisk <=1.8.9
and one elastix with asterisk 1.6.x.
I cannot find out why only on these systems. The only thing they had in common was that the had a fop1 panel (now disabled) Also all “allow guest sip” is turned off.
What could be the reason that the newer distro’s with freepbx 2.10 are not under attack?
I can only point out the older asterisk versions in combination with the old fop.
I am now looking for a script to allow only dutch ip addresses to register in sip device ( I think that is the best solution) unless you may have some tips.

Many thanks in advance

Do you have iptables and/or fail2ban running on the old systems. If not you could look at setting up some iptables rules to only allow port 5060/UDP access from the ranges of Dutch IP addresses and use fail2ban to prevent repeated hacking attempts. There is a lot of discussing on the PBX in a Flash forums on iptables setup and fail2ban as they are pretty hot on Asterisk/FreePBX security over there.

Thanx Lee,

I adjusted a script from nerdvittles [http://nerdvittles.com/?p=639]with dutch ip addresses in mysql and it checks every minute or 5 minutes if a device is registred with a dutch ip, if not then it will ad a deny rule in IPtables an send you an email for info.
All automated through cronjob.
A quite easy click and play script with very little overhead needed.
If interested, I can mail the script with a manual.

A complete easy alternative solution I cannot find. A lot of discussions, but no easy solutions.

The strange thing is that the old pbxs are setup the same as the new ones with iptables and fail2ban. Now I updated one PBX to a new Distro with asterisk 1.8.18 and the hacking stopped. All password and settings are still the same.

What is the nature of these calls on the old boxes? Do they look like calls from a SIP extension to an external number or something else?

Hi Lee,

Yes, that is correct. Between 1:00~5:00 am dutch time there is (i think a pbx) registered on an extension and starts calling to Turkey, India, etc.

The only thing I can find is in httpd log:
74.63.232.110 - - [24/Dec/2012:05:38:02 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 307 “-” "-"
77.68.41.217 - - [24/Dec/2012:10:58:56 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 307 “-” "-"
85.214.67.198 - - [24/Dec/2012:11:17:17 +0100] “GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1” 400 307 “-” "-"
87.211.98.228 - - [24/Dec/2012:14:29:13 +0100] “GET / HTTP/1.1” 403 1043 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11”

This is what I found on al three old pbxs that where hacked.

I take it that you had indication of calls occurring at the same time in the asterisk log?

Yes that is correct.
As another security I set outbound channels from 0 to 2 channels on the trunk and devices.
Also calls could not be made because a rtp retransmission error.
As we are also a voip provider with a billing platform, I saw a lot of calls made from these older freepbxdistro’s, that is why I started to look further.

Are your older systems using FreePBX 2.9 and if so are they fully updated to the latest 2.9 of FreePBX

Hi Tony,

I had:
1-distro fpbx 2.9 with asterisk 1.8.7 (not the latest)
2-Distro fpbx 2.9 with asterisk 1.8.9 (with latest update)
3- Elastix 2.0 with Asterisk 1.6.?

All three suffered hackings
All PBXs with Freepbx 2.10 and asterisk > 1.8.10 had no problems.

Well 2.9 had security exploits at one time. My guess is they are looking for those to get in or got in through that.

That is why I asked if the 2.9 modules were all updated to latest.

I know that security issue, you nicely noticed this in the updates overview.
But as I can see that was to crash some stuf.

For now nobody from countrie’s other then Netherlands can call out with my new little script. And If they do, thay get permenently blocked after a minute.

Bas,

The script sounds very interesting. Any chance of having a copy to look at?

Thanks,

Lee

yes offcourse.
Email me at [email protected]