Strange outbound calls - Hacked?

Hello,
I have strange calls going outbound. It seems that someone trys to compromise or has already compromised.
The calls are going out from 6 different extensions, some of them activated in Freepbx, but no physical phone connected at my side.

I found that the SIP-connection came from an IP in the US (I am in Europe). Blocked this IP on my physical Firewall.

All my extensions have set a long secure password.
Fail2Ban is not reacting to the IP.
Firewall Log shows: ip6tables v1.4.21: invalid port/service -j' specified Tryip6tables -h’ or ‘ip6tables --help’ for more information.
iptables v1.4.21: invalid port/service -j' specified Tryiptables -h’ or ‘iptables --help’ for more information.

Can someone help me with this? What can I further do?

The outgoing calls are to 01144… Which is emergency number of Paramedics in Vienna. They have other things to handle, than ping calls …

Further I would like to change my Freepbx Password, but where do I do this?

Any help welcome.

Regards,
Gunther

There’s so much going on that it’s hard to analyze the problems.

1. Are you sure the calls are outgoing calls coming from your PBX?
2. The firewall log information show someone or something trying to use an option that doesn’t exist for the system’s version of iptables. Not sure how that is related.
3. The outgoing calls to Paramedics in Vienna is a weird destination.
4. Which password are you trying to change? There are lots of them.

If you could capture one of the outgoing calls from your box in the /var/log/asterisk/full logs, we might be able to help you, but there’s no guaantees.

Do you have the Management Console open to the world (port 80)? If so, you may need to go as far as reformatting your hard drive and starting over. A lot depends on how your system has been compromised. The fact that your system is allowing calls through extensions that do not exist is worrisome, so the logs will help us analyze that.

To clarify. The extension exists, but we do not use it at the moment. The password is the password Freepbx created for it.

Concerning Changing password: How can I change the password for Freepbx-GUI-Login.

Attached log from the moment the call was going out:

Blockquote [2021-08-02 15:30:42] VERBOSE[8184] chan_sip.c: Registered SIP ‘502’ at 173.44.36.172:20260
[2021-08-02 15:30:42] VERBOSE[8184] chan_sip.c: Registered SIP ‘506’ at 173.44.36.172:20135
[2021-08-02 15:30:42] VERBOSE[8184] chan_sip.c: Registered SIP ‘505’ at 173.44.36.172:11661
[2021-08-02 15:30:42] VERBOSE[8184] chan_sip.c: Registered SIP ‘507’ at 173.44.36.172:13318
[2021-08-02 15:30:43] VERBOSE[8184][C-00000230] netsock2.c: Using SIP RTP TOS bits 184
[2021-08-02 15:30:43] VERBOSE[8184][C-00000230] netsock2.c: Using SIP RTP CoS mark 5
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [011442037691455@from-internal:1] Macro(“SIP/502-00000a73”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:1] Set(“SIP/502-00000a73”, “TOUCH_MONITOR=1627911043.7005”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:2] Set(“SIP/502-00000a73”, “AMPUSER=502”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:3] Set(“SIP/502-00000a73”, “HOTDESCKCHAN=502-00000a73”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:4] Set(“SIP/502-00000a73”, “HOTDESKEXTEN=502”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:5] Set(“SIP/502-00000a73”, “HOTDESKCALL=0”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:6] ExecIf(“SIP/502-00000a73”, “0?Set(HOTDESKCALL=1)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:7] ExecIf(“SIP/502-00000a73”, “0?Set(CALLERID(name)=)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:8] GotoIf(“SIP/502-00000a73”, “0?report”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:9] ExecIf(“SIP/502-00000a73”, “1?Set(REALCALLERIDNUM=502)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:10] Set(“SIP/502-00000a73”, “AMPUSER=502”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:11] GotoIf(“SIP/502-00000a73”, “0?limit”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:12] Set(“SIP/502-00000a73”, “AMPUSERCIDNAME=Ordination 2”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:13] ExecIf(“SIP/502-00000a73”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:14] GotoIf(“SIP/502-00000a73”, “0?report”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:15] Set(“SIP/502-00000a73”, “AMPUSERCID=502”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:16] Set(“SIP/502-00000a73”, “__DIAL_OPTIONS=HhTtr”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:17] Set(“SIP/502-00000a73”, “CALLERID(all)=“Ordination 2” <502>”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:18] ExecIf(“SIP/502-00000a73”, “0?Set(CUSDIAL=)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:19] ExecIf(“SIP/502-00000a73”, “0?Set(CALLERID(all)=“Ordination 2” <502>)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:20] GotoIf(“SIP/502-00000a73”, “0?limit”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:21] ExecIf(“SIP/502-00000a73”, “1?Set(GROUP(concurrency_limit)=502)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:22] ExecIf(“SIP/502-00000a73”, “0?Set(CHANNEL(language)=)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:23] NoOp(“SIP/502-00000a73”, “Macro Depth is 1”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:24] GotoIf(“SIP/502-00000a73”, “1?report2:macroerror”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx_builtins.c: Goto (macro-user-callerid,s,25)
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:25] GotoIf(“SIP/502-00000a73”, “1?continue”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx_builtins.c: Goto (macro-user-callerid,s,44)
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:44] Set(“SIP/502-00000a73”, “CALLERID(number)=502”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:45] Set(“SIP/502-00000a73”, “CALLERID(name)=Ordination 2”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:46] GotoIf(“SIP/502-00000a73”, “0?cnum”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:47] Set(“SIP/502-00000a73”, “CDR(cnam)=Ordination 2”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:48] Set(“SIP/502-00000a73”, “CDR(cnum)=502”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@macro-user-callerid:49] Set(“SIP/502-00000a73”, “CHANNEL(language)=de_DE”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [011442037691455@from-internal:2] Gosub(“SIP/502-00000a73”, “sub-record-check,s,1(out,011442037691455,dontcare)”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@sub-record-check:1] GotoIf(“SIP/502-00000a73”, “0?initialized”) in new stack
[2021-08-02 15:30:43] VERBOSE[60167][C-00000230] pbx.c: Executing [s@sub-record-check:2] Set(“SIP/502-00000a73”, “__REC_STATUS=INITIALIZED”) in new stack

…

[2021-08-02 15:30:44] VERBOSE[60218][C-00000232] bridge_channel.c: Channel SIP/trunkDIC43422529888-00000a78 joined ‘simple_bridge’ basic-bridge <6ff2818b-2a53-4d6e-8a72-8ba25eb52697>
[2021-08-02 15:30:44] VERBOSE[60175][C-00000232] bridge_channel.c: Channel SIP/507-00000a75 joined ‘simple_bridge’ basic-bridge <6ff2818b-2a53-4d6e-8a72-8ba25eb52697>

This IP is in Miami, Florida. Is this perhaps a known location to you?

Tried looking it up. I found no information about it.

Hi, no, we are in Austria/Europe.

First, the attacker was able to authenticate normally. The two most likely causes:

1. You are using TFTP provisioning, or HTTP(S) provisioning without a password, open to the world. It is easy for the attacker to iterate through known MAC address ranges to find the associated phone.

2. Your admin GUI is open to the world and the attacker guessed the password or (more likely) exploited one of the many vulnerabilities before it was patched.

In either of these cases, you probably need to reinstall the system from scratch, properly secured and with all new credentials.

The attacker was attempting a call to London (US international prefix = 011, UK country code = 44, London = 20), to see whether calling was successful. The destination number is controlled by the attacker. (UK is common because those numbers are easy to obtain anonymously.)

However, I don’t understand how this became a 144 call. If your system requires dialing 0 before an outside number (not recommended) and your provider or gateway ignores extra digits, then 0144… could reach the paramedics. But unless you have an Outbound Route with an 01 prefix, 01144… shouldn’t be routed to 144.

whois -h whois.cymru.com " -v 173.44.36.172"
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
8100 | 173.44.36.172 | 173.44.32.0/19 | US | arin | 2010-01-11 | ASN-QUADRANET-GLOBAL, US

011442037691455 is a land-line number in London U.K.

Thanks for clarification.
I’ll setup from scratch.

I suppose it was case 2, the GUI was open to the world.

Regards,
Gunther

Is it safe to export settings and import them into the new virtualmachine?

Regards,
Gunther

I would not do that.

Yes, as long as when you import the extensions, you change the secret to REGEN

Never ever do a port forwarding to the freePBX-web-UI!
If you have a local machine, install Linux Mint. Then add Virtualbox. Install the freePBX distro as virtual machine.
Install noMachine in Linux Mint. Create a portforwarding for remote access (noMachine) to your Linux Mint machine.

If you still want to change the password of the freePBX-web-UI. Go to admin > administrators and then click on the 4-line symbol on the right and chose the admin-user.

admin-administrators1608×395 59.2 KB

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.