Indicators of Compromise for FreePBX


#1

I am using FreePBX 13.0.197 on a CentOS Linux 6.5 OS. The PBX was hacked and calls were being routed to countries across the globe. We are investigating how this was done and have some curious logs in the freepbx security log. e.g.

2019-05-07 10:44:21] Possible proxy detected, forwarded headers for1415 set to
[2019-05-28 21:27:56] Authentication failure for admin from [IP]
[2019-05-28 21:27:56] Possible proxy detected, forwarded headers foradmin set to
[2019-05-28 21:28:03] Authentication failure for admin from [IP]
[2019-05-28 21:28:03] Possible proxy detected, forwarded headers foradmin set to
[2019-05-28 21:29:24] Authentication failure for admin from [IP]
[2019-05-28 21:29:24] Possible proxy detected, forwarded headers foradmin set to
[2019-05-28 21:30:33] Authentication failure for JAM4492836 from [IP]
[2019-05-28 21:30:38] Authentication failure for JAM4492836 from [IP]
[2019-06-10 19:14:35] Authentication failure for Admin from [IP]
[2019-06-10 19:14:35] Possible proxy detected, forwarded headers forAdmin set to
[2019-06-10 19:15:46] Authentication failure for admin from [IP]
[2019-06-10 19:15:46] Possible proxy detected, forwarded headers foradmin set to
[2019-07-19 22:15:13] Authentication failure for admin from [IP]
[2019-07-19 22:15:13] Possible proxy detected, forwarded headers foradmin set to
[2019-07-19 22:17:50] Authentication failure for Admin from [IP]
[2019-07-19 22:17:50] Possible proxy detected, forwarded headers forAdmin set to
[2019-07-20 17:36:09] Authentication failure for admin from [IP]
[2019-07-20 17:36:09] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:36:28] Authentication failure for admin from [IP]
[2019-07-20 17:36:28] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:40:18] Authentication failure for admin from [IP]
[2019-07-20 17:40:18] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:40:29] Authentication failure for admin from [IP]
[2019-07-20 17:40:29] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:40:43] Authentication failure for admin from [IP]
[2019-07-20 17:40:43] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:48:35] Authentication failure for admin from [IP]
[2019-07-20 17:48:35] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:48:47] Authentication failure for admin from [IP]
[2019-07-20 17:48:47] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 18:06:57] Authentication failure for admin from [IP]
[2019-07-20 18:06:57] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 18:07:05] Authentication failure for admin from [IP]
[2019-07-20 18:07:05] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 18:07:26] Authentication failure for 1820 from [IP]
[2019-07-20 18:07:39] Authentication failure for 1306 from [IP]
[2019-07-20 18:07:41] Authentication failure for 1306 from [IP]
[2019-07-20 18:07:49] Authentication failure for User from [IP]
[2019-07-20 18:07:52] Authentication failure for User from [IP]
[2019-07-20 18:07:56] Authentication failure for user from [IP]
2019-05-07 10:44:21] Possible proxy detected, forwarded headers for1415 set to
[2019-05-28 21:27:56] Authentication failure for admin from [IP]
[2019-05-28 21:27:56] Possible proxy detected, forwarded headers foradmin set to
[2019-05-28 21:28:03] Authentication failure for admin from [IP]
[2019-05-28 21:28:03] Possible proxy detected, forwarded headers foradmin set to
[2019-05-28 21:29:24] Authentication failure for admin from [IP]
[2019-05-28 21:29:24] Possible proxy detected, forwarded headers foradmin set to
[2019-05-28 21:30:33] Authentication failure for JAM4492836 from [IP]
[2019-05-28 21:30:38] Authentication failure for JAM4492836 from [IP]
[2019-06-10 19:14:35] Authentication failure for Admin from [IP]
[2019-06-10 19:14:35] Possible proxy detected, forwarded headers forAdmin set to
[2019-06-10 19:15:46] Authentication failure for admin from [IP]
[2019-06-10 19:15:46] Possible proxy detected, forwarded headers foradmin set to
[2019-07-19 22:15:13] Authentication failure for admin from [IP]
[2019-07-19 22:15:13] Possible proxy detected, forwarded headers foradmin set to
[2019-07-19 22:17:50] Authentication failure for Admin from [IP]
[2019-07-19 22:17:50] Possible proxy detected, forwarded headers forAdmin set to
[2019-07-20 17:36:09] Authentication failure for admin from [IP]
[2019-07-20 17:36:09] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:36:28] Authentication failure for admin from [IP]
[2019-07-20 17:36:28] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:40:18] Authentication failure for admin from [IP]
[2019-07-20 17:40:18] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:40:29] Authentication failure for admin from [IP]
[2019-07-20 17:40:29] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:40:43] Authentication failure for admin from [IP]
[2019-07-20 17:40:43] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:48:35] Authentication failure for admin from [IP]
[2019-07-20 17:48:35] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 17:48:47] Authentication failure for admin from [IP]
[2019-07-20 17:48:47] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 18:06:57] Authentication failure for admin from [IP]
[2019-07-20 18:06:57] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 18:07:05] Authentication failure for admin from [IP]
[2019-07-20 18:07:05] Possible proxy detected, forwarded headers foradmin set to
[2019-07-20 18:07:26] Authentication failure for 1820 from [IP]
[2019-07-20 18:07:39] Authentication failure for 1306 from [IP]
[2019-07-20 18:07:41] Authentication failure for 1306 from [IP]
[2019-07-20 18:07:49] Authentication failure for User from [IP]
[2019-07-20 18:07:52] Authentication failure for User from [IP]
[2019-07-20 18:07:56] Authentication failure for user from [IP]

The IPs associated with the authentication failure are not associated with the PBX at all and should not be trying to authenticate in any way. Would this indicate that the bad actors would have pivoted from those machines to the PBX or is there another plausible reason for these authentication failures to be generated?
I also looked at some firewall logs but cannot interpret the data. The dates seem to be coded? e.g.

1572450608: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572450608: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572450890: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572450890: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572451201: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572451201: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572452112: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572452112: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572452710: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572452710: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572452992: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572452992: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572453309: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572453309: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572453590: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572453590: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572453907: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572453907: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572454189: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572454189: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572455099: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572455099: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572455380: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572455380: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572455979: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572455979: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572456884: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572456884: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572457503: /sbin/iptables -A fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg
1572457503: /sbin/iptables -D fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572457779: /sbin/iptables -A fpbxregistrations -s 169.132.196.11/32 -j fpbxknownreg
1572457779: /sbin/iptables -D fpbxregistrations -s 66.33.146.52/32 -j fpbxknownreg

Are they any other logs that might uncover information relating to the source of the breach?

Thanks in advance.


#2

Perhaps you have TCP/5038 open on your firewall?

( date -d @1572450608 and date +%s )


#3

Thanks for your reply! No i do not have port 5038 open. Also I am unsure as to what you are trying to explain regarding the date in brackets? Can you elaborate please?


#4

Well

[2019-07-20 17:40:29] Authentication failure for admin from [IP]

suggests that ‘IP’ is getting to your machine’s AMI which runs on port 5038 and listens on all interfaces.

As to your dates being ‘coded’ , not really but from bash

date -d @1572450608
date +%s

1572450608 is seconds since the epoch which is midnight jan 1st 1970 UTC


#5

Thanks. Does this suggest that someone was actively trying to authenticate from that IP? I want to rule out that this could happen without human intervention.


(Dave Burgess) #6

Assume that it does. You need to lock the system down, especially with the GUI exploit that was just found.


#7

Yes, they are :wink:

It is very unlikely that ‘asterisk manager’ needs to listen on anything but your ‘local’ network interface, that would be to change

bindaddr=0.0.0.0

to

bindaddr=127.0.0.1

in /etc/asterisk/manager*.conf

how that is best done in any “FreePBX distro” I am unsure of.


#8

Hi:
Yes the IPs associated with the authentication failures are local but not from any user systems, they are DVR systems and cameras.


#9

Are they Chinese ?


#10

Just to clarify, these Chinese devices are notoriously nasty, they call home to “universities” in Beijing :wink: , when we talk about the local network interface, that excludes the LAN (where your nasties are at) and includes only conversations between processes on the PBX itself, by default asterisk manager listens on all interfaces (0.0.0.0) that allows access from the nasties within your LAN plus anything that the firewall doesn’t protect, I recommend that you restrict the manager to 127.0.0.1 ( the local interface)


#11

Thanks for the info. Do you know of any logs i can look for that would indicate what type of compromise happened here? Any other clues of a bad actor being in the system?


#12

There will be no logs, they are not stupid, but if you run tcpdump on your external network interface against YOUR.SPY.CAMERA.IP you might catch a smelly fish, (they don’t phone home often though)


(system) closed #13

This topic was automatically closed 31 hours after the last reply. New replies are no longer allowed.