I've been hacked!

abefroman · February 14, 2012, 1:31am

I’ve been hacked!!!

How was this guy able to by pass the password authentication?

cat /etc/asterisk/freepbxdistro-version

1.8.2.0-2

Apache log:
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:08 -0600] “GET / HTTP/1.0” 200 2559
"http://localhost/index.php?file=b69.100x.txt&find=pbx" “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] “GET /admin/images/box-left.jpg HTTP/1.0” 200 2576
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] “GET /admin/images/operator-panel.png HTTP/1.0” 200 11055
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] “GET /admin/images/header-bg-right.jpg HTTP/1.0” 200 19400
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] “GET /admin/images/sys-admin.png HTTP/1.0” 200 14271
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] “GET /admin/images/header-bg-left.jpg HTTP/1.0” 200 26105
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] “GET /admin/images/user-control.png HTTP/1.0” 200 13361
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] “GET /admin/images/support.png HTTP/1.0” 200 9550
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] “GET /admin/images/box-right.jpg HTTP/1.0” 200 2554
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] “GET /admin/images/header-tile.jpg HTTP/1.0” 200 452
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] “GET /admin/images/header-bg-tile.jpg HTTP/1.0” 200 396
"http://xx.xx.xx.xx/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:11 -0600] “GET /admin/images/box-tile.jpg HTTP/1.0” 200 365
"http://xx.xx.xx.xx/” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] “GET /admin/common/script.js.php?load_version=2.9.0.7 HTTP/1.0” 200
1111 “http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] “GET /admin/assets/js/jquery.cookie.js HTTP/1.0” 200 4247
"http://xx.xx.xx.xx/admin/config.php” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] “GET /admin/common/mainstyle.css?load_version=2.9.0.7 HTTP/1.0” 200
15911 “http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] “GET /admin/assets/js/script.legacy.js HTTP/1.0” 200 19594
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:21 -0600] “GET /admin/assets/js/jquery.dimensions.js HTTP/1.0” 200 20547
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:21 -0600] “GET /admin/assets/js/jquery.toggleval.3.0.js HTTP/1.0” 200 3496
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] “GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.0” 200 78696
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:22 -0600] “GET /admin/assets/js/interface.dim.js HTTP/1.0” 200 3761
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:22 -0600] “GET /admin/assets/js/tabber-minimized.js HTTP/1.0” 200 4904
"http://xx.xx.xx.xx/admin/config.php” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:22 -0600] "GET /admin/images/freepbx_large.png?load_version=2.9.0.7 HTTP/1.0"
200 7590 “http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] “GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.0” 200 198688
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:23 -0600] “GET /admin/images/logo.png?load_version=2.9.0.7 HTTP/1.0” 200 5699
"http://xx.xx.xx.xx/admin/config.php” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:23 -0600] “GET /admin/images/favicon.ico HTTP/1.0” 200 318 “-” “Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:27 -0600] “GET /admin/images/header-back.png HTTP/1.0” 200 339
"http://xx.xx.xx.xx/admin/common/mainstyle.css?load_version=2.9.0.7” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:27 -0600] “GET /admin/images/tab.png HTTP/1.0” 200 1431
"http://xx.xx.xx.xx/admin/common/mainstyle.css?load_version=2.9.0.7” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:27 -0600] “GET /admin/images/tab-first-current.png HTTP/1.0” 200 2639
"http://xx.xx.xx.xx/admin/common/mainstyle.css?load_version=2.9.0.7” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] “GET /admin/modules/ HTTP/1.0” 200 15000 “-” “Mozilla/5.0 (Windows NT
6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] “GET /icons/back.gif HTTP/1.0” 200 216
"http://xx.xx.xx.xx/admin/modules/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] “GET /icons/blank.gif HTTP/1.0” 200 148
"http://xx.xx.xx.xx/admin/modules/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] “GET /icons/bomb.gif HTTP/1.0” 200 308
"http://xx.xx.xx.xx/admin/modules/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] “GET /icons/folder.gif HTTP/1.0” 200 225
"http://xx.xx.xx.xx/admin/modules/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] “GET /icons/script.gif HTTP/1.0” 200 242
"http://xx.xx.xx.xx/admin/modules/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:14 -0600] “GET /admin/modules/framework/ HTTP/1.0” 200 2558
"http://xx.xx.xx.xx/admin/modules/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:15 -0600] “GET /icons/text.gif HTTP/1.0” 200 229
"http://xx.xx.xx.xx/admin/modules/framework/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:17 -0600] “GET /admin/modules/framework/bin/ HTTP/1.0” 200 2939
"http://xx.xx.xx.xx/admin/modules/framework/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:18 -0600] “GET /icons/unknown.gif HTTP/1.0” 200 245
"http://xx.xx.xx.xx/admin/modules/framework/bin/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:19 -0600] “GET /admin/modules/framework/bin/gen_amp_conf.php HTTP/1.0” 200 6539
"http://xx.xx.xx.xx/admin/modules/framework/bin/” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - maint [12/Feb/2012:17:14:37 -0600] “GET /admin/config.php HTTP/1.0” 200 27455 “-” “Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - maint [12/Feb/2012:17:14:39 -0600] “GET
/admin/config.php?handler=file&module=dashboard&file=dashboard.css&load_version=2.9.0.4 HTTP/1.0” 200 2463
"http://xx.xx.xx.xx/admin/config.php” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:39 -0600] “GET /admin/common/mstyle_autogen_1314232943.css?load_version=2.9.0.7
HTTP/1.0” 200 11603 “http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] “GET /admin/images/notify_update.png HTTP/1.0” 200 619
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] “GET /admin/images/notify_delete.png HTTP/1.0” 200 715
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] “GET /admin/images/notify_warning.png HTTP/1.0” 200 789
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] “GET /admin/images/cancel.png HTTP/1.0” 200 815
"http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] “GET /admin/images/notify_notice.png HTTP/1.0” 200 778
"http://xx.xx.xx.xx/admin/config.php” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:39 -0600] “GET /admin/common/libfreepbx.javascripts.js?load_version=2.9.0.7
HTTP/1.0” 200 302944 “http://xx.xx.xx.xx/admin/config.php” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:41 -0600] "GET /admin/images/freepbx_small.png?load_version=2.9.0.7 HTTP/1.0"
200 4844 “http://xx.xx.xx.xx/admin/config.php” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:42 -0600] “GET /admin/images/shadow-side-background.png?load_version=2.9.0.7
HTTP/1.0” 200 198 “http://xx.xx.xx.xx/admin/config.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1”

depster · February 14, 2012, 1:32pm

The more pressing question should be: how did he get to the box?

abefroman · February 14, 2012, 1:57pm

It has a static IP on the public interent.

alan · February 14, 2012, 4:59pm

Well there is your problem. Did you fully open the system up to the Internet? If you did you would be opening yourself up for lots of trouble.

abefroman · February 14, 2012, 5:03pm

Uh, yes, why would that be a problem if the web interface is password protected?

alan · February 14, 2012, 5:34pm

If someone truly hacked your system them must have guessed your password.

How do you know you were hacked?

I am sure many other members will chime in here to tell you how bad of an idea it is to open the web interface of your system up to the Internet. There is no reason to expose the web interface of your PBX to the Internet regardless of passwords.

abefroman · February 14, 2012, 5:37pm

It was a difficult password which I changed fairly recently, and I’m not seeing any invalid login attempts.

Are there any known exploits with the web interface?

alan · February 14, 2012, 5:45pm

Do you absolutely need to have the web interface exposed to the Internet. Your best bet is not to open the GUI to the Internet.

what ports do you have forwarded from the Internet to your phone server?

abefroman · February 14, 2012, 5:56pm

I suppose I can keep it off and then just turn it on when I need it.

The pbx server is in a datacenter because I have a number of multiple offices that connect to it.

Is there a better way to do this? Like a vpn or ipsec or something?

obelisk · February 14, 2012, 7:48pm

This has been reported already:

http://www.freepbx.org/forum/freepbx/development/security-gen-amp-conf-php

Yeah, it is lame beyond belief that in 2012 people make such stupid mistakes.

abefroman · February 14, 2012, 8:48pm

@obelisk

Agreed, I can’t believe some programmers these days.

SkykingOH · February 15, 2012, 1:24am

You have a server in a datacenter without any security for your other applications?

Access lists and VPN’s are your friend.

SkykingOH · February 15, 2012, 1:31am

I have a better idea. Why don’t the users put together a security and functional test plan. Run the test plan against each beta and report back to the developers. If everyone concurs no release will go from release candidate to released with the test plan executed and “sign off” from the testing group.

Would you rather have the developers work on features or spend time running these test plans? The more help they (the developers) get the more features can be completed.

Everybody wins.

abefroman · February 15, 2012, 2:20am

@SkykingOH I’d be open to being part of that, how do I get involved though?

We’d need some way to track who’s working on what, and also what code is new since the last release. Plus it might be a good idea to go through the existing code one more time, if that hasn’t be done already.

SkykingOH · February 15, 2012, 2:38am

We are insanely busy and open to anything that makes sense.

1 - Design the process
2 - Socialize it within the community
3 - Get buy in from the community
4 - Recruit assistants
5 - Manager team to the process

This is an “open” project. Nobody has to approve anything. Leadership fills the vacuum.

obelisk · February 15, 2012, 2:52am

The tests should be automated. No humans need to be involved. Humans are generally unreliable and suck in making decisions

BTW: It looks like the vulnerability was introduced on 01/06/11

http://www.freepbx.org/trac/changeset/10807

Everything released in 2011 is probably vulnerable. Did FreePBX people make any effort to reach distro builders to make sure they push the updates ? I also did not see any CVE entry for this. I think there are going to be lots of hacked systems in 2012 because of this.

abefroman · February 15, 2012, 3:07am

Obelisk is right, why isn’t that listed here:
http://www.cvedetails.com/vendor/6470/Freepbx.html

SkykingOH · February 15, 2012, 5:23am

You guys make it sound like this is some sort of an obligation (to whom I am not sure). This is a community project.

Ward is very active over at PBXiaf and certainly has a direct line to the Kremlin.

I will some up my feelings, and this is direct at the rabble rouser’ss who know who they are. Instead of stirring up sh*t why don’t you dedicate a significant portion of your time to the project, travel around the country at your own expense evangelizing the project, dedicate your employees time, donate resources and hardware etc. Those of us who do some/all of these things get a bit annoyed when you bitch about the job that is being done. If you don’t like it then you are more than welcome to do 1 of 2 things.

1 - Do a better job
2 - Don’t use the package

abefroman · February 15, 2012, 5:53am

@SkykingOH we’re not stirring up sh*t, obviously we use the software and highly value it, and we’re not directing this towards one individual or one group of individuals. And we appreciate the job, and hard work that everyone involved contributes. And I already said I would be happy to help assit with this.

We’re just saying some more emphasis should be put on security, which needs to start from the people at the top of this community project, and requires coordiation from the people at the top, to the developers, to the testers, etc. This is rather important since these bugs can potentially cost users $100k or more:
http://nerdvittles.com/?p=580

And when there is a security bug found it needs to be submitted to the proper channels (bugtraq, cvedetails, etc).

Security needs to be a top priority whether its a community project, open source, closed, source, for proift, non for profit etc.

We apologized if we came across as bitchy/annoying.

tonyclewis · February 16, 2012, 4:43am

And that file is no longer accessible and was fixed 2 months ago.