dpawliw
March 24, 2023, 3:08am
1
Whelp, ignore this post. got caught up in the /var/www/html/lgaetz.php targeted attack on a few of my servers because WebRTC was opened facing the internet for UCP calling from customers who want to “roam”. not doing that anymore.
comtech
March 24, 2023, 7:30pm
3
dpawliw:
/var/www/html/lgaetz.php
I’ve not heard of this attack, do you have more information?
dpawliw
March 24, 2023, 7:45pm
4
Details are available here:
Indeed. IMO: The response to this should have been way more serious as this affects the commercial PBXact from Sangoma.
I was hoping to see in the response that “We worked with affected users to gain access to their servers and gather data. The data that we have collected is currently being analyzed by our security team”
My interpretation of the response was “Hey, another similar to ‘SIP password compromised’ incident! Change your password!”
and here:
For more than a month we’ve seen a small number of reports of exploited PBX systems used for traffic pumping. Initially details were scant, but a few commonalities emerged:
Asterisk http/https service port(s) exposed to untrusted traffic
There was a spurious ARI app running in Asterisk
Background: To create an ARI app you need access to the Asterisk http/https service and you need ARI user credentials. The FreePBX ARI user is called freepbxuser and the password is generated at time of install…
system
March 31, 2023, 7:45pm
5
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.