Sangoma Appliance Hacked?

gavo · November 15, 2017, 6:43pm

Hello,

A friend of mine had a Sangoma freepbx appliance installed that whilst it is working fine has seen some strange attempted calling behaviour in/around 1am GMT every morning - as though a script is running. The responsive firewall is all setup and for all intents and purposes it is fine apart from this issue.
Fortunately as a second line of defence the maximum per minute call rate has been set with the provider at US$ 4 cents - so every day (for a few days now) you will see a string of “over max rate” logs of all the attempted calls.
I had read somewhere that Sangoma was compromised ? - note this appliance is registered on their portal - so could it be a case that it has been hacked via a back door and thus bypassing the firewall ? And, if so is it simply a question of applying some patch or finding / deleting this script ?
I’m not overly Linux friendly but I’m happy enough to SSH into the box and follow an instruction or two.

Suggestions kindly welcome.

jfinstrom · November 15, 2017, 6:51pm

We have no known security issues (none recent even). As long as your system is up to date there should be nothing known.

You may send relevant logs for the times listed to [email protected]

gavo · November 15, 2017, 6:56pm

Thanks for that. Will log into it and take a screenshot of the strange activity and send on.

Thanks

mattbratt · November 15, 2017, 7:41pm

Check for weak passwords? Run Reports, Check for Weak Passwords.

Was your default root account password changed from the factory install?

gavo · November 16, 2017, 8:01pm

Hello,

No weak passwords were detected, and yes, the default password was changed.

Thanks for the suggestions

mattbratt · November 17, 2017, 7:29am

Settings >> SIP Settings

Allow Anonymous Inbound SIP Calls, should be set to No.