adon004
February 11, 2014, 7:31pm
1
Hi Using FreePBX Distro 2.11.0.11 and just got hacked. I have SSH and FTP opened as follows:
Accept If input interface is lo
Reject If protocol is ICMP and ICMP type is any
Accept If protocol is 50
Accept If protocol is 51
Accept If protocol is UDP and destination is 224.0.0.251 and destination port is 5353
Accept If protocol is UDP and destination port is 631
Accept If protocol is TCP and destination port is 631
Accept If state of connection is ESTABLISHED,RELATED
Accept If protocol is TCP and destination port is 20022 and state of connection is NEW
Accept If protocol is TCP and destination port is 21 and state of connection is NEW
Reject Always
This is a install from rentpbx.com and the only amendments i made to the firewall was ftp.
I have “allow sip guests” and “allow anonymous inbound sip calls” both set to no as I was aware of the issues with these. All my extensions have a great secret and i have checked the weak password detection tool passed to make sure.
I have the following in the CDR which alerted me so I could get the Trunk Disabled.
2014-02-11 13:41:08 1392126068.17830 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:40:47 1392126047.17829 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:40:27 1392126027.17828 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:40:05 1392126005.17827 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:39:29 1392125969.17826 *********** Wait 100 ANSWERED 00:04
2014-02-11 13:37:47 1392125867.17825 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:46 1392125866.17824 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:45 1392125865.17823 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:44 1392125864.17822 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:43 1392125863.17821 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:42 1392125862.17820 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:41 1392125861.17819 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:40 1392125860.17818 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:39 1392125859.17817 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:38 1392125858.17816 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:37 1392125857.17815 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:36
Can someone kindly lend me some advice here, as I think I have ticked all the boxes for security.
tm1000
(Andrew Nagy)
February 11, 2014, 8:21pm
2
What makes you think you were hacked. Looks like generic SIP traffic from the internet probing your machine.
adon004
February 11, 2014, 8:37pm
3
There were calls completed with an extension that doesn’t exist; 100.
My cdr above wasnt complete, the one below shows successful calls;
2014-02-11 13:41:08 1392126068.17830 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:40:47 1392126047.17829 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:40:27 1392126027.17828 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:40:05 1392126005.17827 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:39:29 1392125969.17826 ********* Wait 100 ANSWERED 00:04
2014-02-11 13:37:47 1392125867.17825 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:46 1392125866.17824 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:45 1392125865.17823 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:44 1392125864.17822 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:43 1392125863.17821 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:42 1392125862.17820 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:41 1392125861.17819 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:40 1392125860.17818 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:39 1392125859.17817 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:38 1392125858.17816 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:37 1392125857.17815 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:36 1392125856.17814 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:35 1392125855.17813 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:34 1392125854.17812 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:33 1392125853.17811 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:32 1392125852.17810 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:31 1392125851.17809 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:30 1392125850.17808 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:29 1392125849.17807 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:28 1392125848.17806 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:27 1392125847.17805 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:26 1392125846.17804 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:25 1392125845.17803 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:24 1392125844.17802 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:23 1392125843.17801 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:29:04 1392125344.17777 ********* Wait 100 ANSWERED 00:17
2014-02-11 13:29:03 1392125343.17776 ********* Wait 100 ANSWERED 06:13
2014-02-11 13:29:02 1392125342.17775 ********* Wait 100 ANSWERED 06:13
2014-02-11 13:29:01 1392125341.17774 ********* Wait 100 ANSWERED 06:15
2014-02-11 13:29:00 1392125340.17773 ********* Wait 100 ANSWERED 06:15
2014-02-11 13:28:59 1392125339.17772 ********* Wait 100 ANSWERED 00:26
2014-02-11 13:28:58 1392125338.17771 ********* Wait 100 ANSWERED 06:18
2014-02-11 13:28:57 1392125337.17770 ********* Wait 100 ANSWERED 00:29
2014-02-11 13:28:56 1392125336.17769 ********* Wait 100 ANSWERED 06:21
2014-02-11 13:28:55 1392125335.17768 ********* Wait 100 ANSWERED 06:21
2014-02-11 13:28:54 1392125334.17767 ********* Wait 100 ANSWERED 06:22
2014-02-11 13:28:53 1392125333.17766 ********* Wait 100 ANSWERED 06:24
2014-02-11 13:28:52 1392125332.17764 ********* Wait 100 ANSWERED 06:28
2014-02-11 13:28:52 1392125332.17765 ********* Wait 100 ANSWERED 00:27
2014-02-11 13:28:50 1392125330.17763 ********* Wait 100 ANSWERED 06:29
2014-02-11 13:28:49 1392125329.17762 ********* Wait 100 ANSWERED 00:25
2014-02-11 13:28:48 1392125328.17761 ********* Wait 100 ANSWERED 00:25
2014-02-11 13:28:47 1392125327.17760 ********* Wait 100 ANSWERED 06:29
2014-02-11 13:28:46 1392125326.17759 ********* Wait 100 ANSWERED 00:17
2014-02-11 13:28:45 1392125325.17758 ********* Wait 100 ANSWERED 06:31
2014-02-11 13:28:45 1392125325.17757 ********* Wait 100 ANSWERED 00:17
2014-02-11 13:28:44 1392125324.17756 ********* Wait 100 ANSWERED 00:26
2014-02-11 13:28:43 1392125323.17755 ********* Wait 100 ANSWERED 00:27
2014-02-11 13:28:42 1392125322.17754 ********* Wait 100 ANSWERED 00:26
2014-02-11 13:28:41 1392125321.17753 ********* Wait 100 ANSWERED 06:35
2014-02-11 13:26:48 1392125208.17752 ********* Wait 100 ANSWERED 08:31
2014-02-11 13:26:47 1392125207.17751 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:46 1392125206.17750 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:45 1392125205.17749 ********* Wait 100 ANSWERED 08:34
2014-02-11 13:26:44 1392125204.17748 ********* Wait 100 ANSWERED 00:25
2014-02-11 13:26:43 1392125203.17747 ********* Wait 100 ANSWERED 08:31
2014-02-11 13:26:42 1392125202.17746 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:41 1392125201.17745 ********* Wait 100 ANSWERED 08:33
2014-02-11 13:26:40 1392125200.17744 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:39 1392125199.17743 ********* Wait 100 ANSWERED 08:37
2014-02-11 13:26:38 1392125198.17742 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:37 1392125197.17741 ********* Wait 100 ANSWERED 08:40
2014-02-11 13:26:36 1392125196.17740 ********* Wait 100 ANSWERED 08:41
2014-02-11 13:26:35 1392125195.17739 ********* Wait 100 ANSWERED 08:41
2014-02-11 13:26:34 1392125194.17738 ********* Wait 100 ANSWERED 08:43
2014-02-11 13:26:33 1392125193.17737 ********* Wait 100 ANSWERED 08:44
2014-02-11 13:26:32 1392125192.17736 ********* Wait 100 ANSWERED 08:43
2014-02-11 13:26:31 1392125191.17735 ********* Wait 100 ANSWERED 08:44
2014-02-11 13:26:30 1392125190.17734 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:29 1392125189.17733 ********* Wait 100 ANSWERED 06:12
2014-02-11 13:26:28 1392125188.17732 ********* Wait 100 ANSWERED 08:47
2014-02-11 13:26:27 1392125187.17731 ********* Wait 100 ANSWERED 08:29
2014-02-11 13:26:26 1392125186.17730 ********* Wait 100 ANSWERED 07:02
2014-02-11 13:26:25 1392125185.17729 ********* Wait 100 ANSWERED 08:53
2014-02-11 13:26:24 1392125184.17728 ********* Wait 100 ANSWERED 08:53
2014-02-11 13:25:54 1392125154.17727 ********* Wait 100 ANSWERED 09:25
2014-02-11 13:25:23 1392125
Also in fail2ban logs I see:
[2014-02-11 13:26:54] NOTICE[24961] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:26:54] NOTICE[24961] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:02] NOTICE[24969] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:02] NOTICE[24969] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:04] NOTICE[24971] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:04] NOTICE[24971] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:06] NOTICE[24973] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:06] NOTICE[24973] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:09] NOTICE[24975] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:09] NOTICE[24975] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:10] NOTICE[24977] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:10] NOTICE[24977] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:11] NOTICE[24978] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:11] NOTICE[24978] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
Thanks for getting back to me.
dcitelecom
(dcitelecom)
February 12, 2014, 4:51pm
4
FTP should not be open. Also check your default inbound route to make sure it disconnects all calls unless it matches a valid extension.extensions.