If you are in New Zealand you might want to read this

Hi guys, if you are in New Zealand you might want to read this.

Currently there is a big hacking attempt going on where unscrupulous people are hacking into Asterisk based systems and then dialing numbers up to 3 different countries.
Ok, all going well you have locked your systems down and this wont be an issue, but here is what we have experienced and its prob. worth checking it out just in case.

the numbers being dialed start with either 0025, 0026 or 004
The latter is a bit of a pain as that covers parts of Europe, but 0025 and 0026 are Ethiopia and Zimbabwe.

We found out about this for a client who uses our software which interfaces with Asterisk. They had just upgraded to Windows 7 and there were a few issues we needed to help sort out. One of the issues was related to a comport, as our software can use a comport to get CDR Data.
I noticed this call for $40+ and thought, hmm. I did a bit more digging and found 647 calls to 0025 ad 0026 !!! This BTW was in a period of 5 days too.
Most of the calls were around the 20 min mark. The customer could not understand why their lines were all tied up. Just to mention, we didnt put in their phone system but we know or way around TB well enough to help etc.
We turned on the call recording, and these numbers were calling what seemed like a lottery place. The more minutes they spend on the call there more chances to enter the draw sort of thing.
Anyway, the guy who looks after the phone system finally locked it down and the damage to the client was $10k in calls !!! they were told by their phone provider that someone else had been taken for over $100K !!!
I got a bit worried myself and took a look at my system since I have the ports open for when I am away so I can use my PABX to make calls etc. Fortunitly, whilst I had in-fact that very day been hit 6 times, I had closed the out-going ports on my router…PHEW!!! Now the incoming are blocked too !!

We also go contacted by yet another client who uses our software to see if we could build in an alerting system to our software as they had also been hit. However this time, their Telco who is Telecom actually RANG then and told them and blocked toll calls until its sorted…and…waived the charges. 10 points to Telecom, 0 points to the other telco provider starting with “T” who waited till the customer rang them and then they told the customer they have known about it for 31 days…hmmmm.

So, long story short, if your in NZ, check your CDR logs to make sure your not getting hit. This whole process is automated too, They use all but one line when they are doing it, and when you listen to the messages, you can hear an automated voice reading out a code at the beginning.
So I hope this helps people !!

There’s a pretty good security thread going on over at the PBX in a Flash forums. This is a topic that we as a community need to address in order to secure our PBXs. It would be nice to know how they hacked the system. To start the Weak Password detection module should be a mandatory install.

I agree that the using weak secrets when the system is exposed to the Internet is an issue. It’s also an amateur mistake. You can do much more harm in the trunk section if you setup a trunk in from-internal context.

It needs to be simple to turn off these protections. Many FXS gateways want simple SIP calls with no registration or secret. I have to hack the database to make these work. We need a way to turn off the protection for users that know the reprocusions.

I have a ticket open on this feature. I hope it makes it into 2.8

http://www.freepbx.org/trac/ticket/4130

I agree with SkyKingOH. I learned by installing Asterisk from source on a test network, reading 0’Reiley from cover to cover, spending a lot of time reading through the forums and looking through countless user and security related blog posts. It took over 18 months of screwing around on a regular basis before I felt comfortable installing Asterisk in a production network and even then I worked with Digium to make sure it was done right. All of this on top of 20 years of experience with networking and IT security.

It is so common for clients to come to me and say “we found some guy who charges half your rate” with no previous install experience or “we just want you to do the install then train Rich from Accounting to take over from there”. If they do then no number of warnings or “security plugins” is going to protect your network from hacks and your PBX from toll theft. The install of such plugins and built in security mechanisms will only provide a false sense of security and make those of us who want to do “interesting stuff” jump through hoops.

If a client was the subject of toll theft then there is something wrong with the client’s installation. This could be a provider issue, an Asterisk setting, network design or intrusion detection mechanism. .

I just read this and started checking - we got a 12 sec sip call from 212.36.7.124(amsterdam) 2 days ago, in our PIF system here in NZ - yet we don’t accept anonymous calls ?? We have good passwords - what are we missing ?

vespaman,
What log files did you check?
Also… That IP is not from Amsterdam, but Bulgaria!