This Old Chess Nut- Hacked!

Hi Using FreePBX Distro 2.11.0.11 and just got hacked. I have SSH and FTP opened as follows:

Accept	If input interface is lo		
Reject	If protocol is ICMP and ICMP type is any		
Accept	If protocol is 50		
Accept	If protocol is 51		
Accept	If protocol is UDP and destination is 224.0.0.251 and destination port is 5353		
Accept	If protocol is UDP and destination port is 631		
Accept	If protocol is TCP and destination port is 631		
Accept	If state of connection is ESTABLISHED,RELATED		
Accept	If protocol is TCP and destination port is 20022 and state of connection is NEW		
Accept	If protocol is TCP and destination port is 21 and state of connection is NEW		
Reject	Always

This is a install from rentpbx.com and the only amendments i made to the firewall was ftp.

I have “allow sip guests” and “allow anonymous inbound sip calls” both set to no as I was aware of the issues with these. All my extensions have a great secret and i have checked the weak password detection tool passed to make sure.

I have the following in the CDR which alerted me so I could get the Trunk Disabled.

2014-02-11 13:41:08 1392126068.17830 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:40:47 1392126047.17829 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:40:27 1392126027.17828 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:40:05 1392126005.17827 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:39:29 1392125969.17826 *********** Wait 100 ANSWERED 00:04
2014-02-11 13:37:47 1392125867.17825 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:46 1392125866.17824 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:45 1392125865.17823 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:44 1392125864.17822 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:43 1392125863.17821 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:42 1392125862.17820 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:41 1392125861.17819 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:40 1392125860.17818 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:39 1392125859.17817 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:38 1392125858.17816 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:37 1392125857.17815 *********** Wait 100 ANSWERED 00:03
2014-02-11 13:37:36

Can someone kindly lend me some advice here, as I think I have ticked all the boxes for security.

What makes you think you were hacked. Looks like generic SIP traffic from the internet probing your machine.

There were calls completed with an extension that doesn’t exist; 100.

My cdr above wasnt complete, the one below shows successful calls;
2014-02-11 13:41:08 1392126068.17830 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:40:47 1392126047.17829 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:40:27 1392126027.17828 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:40:05 1392126005.17827 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:39:29 1392125969.17826 ********* Wait 100 ANSWERED 00:04
2014-02-11 13:37:47 1392125867.17825 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:46 1392125866.17824 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:45 1392125865.17823 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:44 1392125864.17822 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:43 1392125863.17821 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:42 1392125862.17820 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:41 1392125861.17819 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:40 1392125860.17818 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:39 1392125859.17817 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:38 1392125858.17816 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:37 1392125857.17815 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:36 1392125856.17814 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:35 1392125855.17813 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:34 1392125854.17812 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:33 1392125853.17811 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:32 1392125852.17810 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:31 1392125851.17809 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:30 1392125850.17808 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:29 1392125849.17807 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:28 1392125848.17806 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:27 1392125847.17805 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:26 1392125846.17804 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:25 1392125845.17803 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:24 1392125844.17802 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:37:23 1392125843.17801 ********* Wait 100 ANSWERED 00:03
2014-02-11 13:29:04 1392125344.17777 ********* Wait 100 ANSWERED 00:17
2014-02-11 13:29:03 1392125343.17776 ********* Wait 100 ANSWERED 06:13
2014-02-11 13:29:02 1392125342.17775 ********* Wait 100 ANSWERED 06:13
2014-02-11 13:29:01 1392125341.17774 ********* Wait 100 ANSWERED 06:15
2014-02-11 13:29:00 1392125340.17773 ********* Wait 100 ANSWERED 06:15
2014-02-11 13:28:59 1392125339.17772 ********* Wait 100 ANSWERED 00:26
2014-02-11 13:28:58 1392125338.17771 ********* Wait 100 ANSWERED 06:18
2014-02-11 13:28:57 1392125337.17770 ********* Wait 100 ANSWERED 00:29
2014-02-11 13:28:56 1392125336.17769 ********* Wait 100 ANSWERED 06:21
2014-02-11 13:28:55 1392125335.17768 ********* Wait 100 ANSWERED 06:21
2014-02-11 13:28:54 1392125334.17767 ********* Wait 100 ANSWERED 06:22
2014-02-11 13:28:53 1392125333.17766 ********* Wait 100 ANSWERED 06:24
2014-02-11 13:28:52 1392125332.17764 ********* Wait 100 ANSWERED 06:28
2014-02-11 13:28:52 1392125332.17765 ********* Wait 100 ANSWERED 00:27
2014-02-11 13:28:50 1392125330.17763 ********* Wait 100 ANSWERED 06:29
2014-02-11 13:28:49 1392125329.17762 ********* Wait 100 ANSWERED 00:25
2014-02-11 13:28:48 1392125328.17761 ********* Wait 100 ANSWERED 00:25
2014-02-11 13:28:47 1392125327.17760 ********* Wait 100 ANSWERED 06:29
2014-02-11 13:28:46 1392125326.17759 ********* Wait 100 ANSWERED 00:17
2014-02-11 13:28:45 1392125325.17758 ********* Wait 100 ANSWERED 06:31
2014-02-11 13:28:45 1392125325.17757 ********* Wait 100 ANSWERED 00:17
2014-02-11 13:28:44 1392125324.17756 ********* Wait 100 ANSWERED 00:26
2014-02-11 13:28:43 1392125323.17755 ********* Wait 100 ANSWERED 00:27
2014-02-11 13:28:42 1392125322.17754 ********* Wait 100 ANSWERED 00:26
2014-02-11 13:28:41 1392125321.17753 ********* Wait 100 ANSWERED 06:35
2014-02-11 13:26:48 1392125208.17752 ********* Wait 100 ANSWERED 08:31
2014-02-11 13:26:47 1392125207.17751 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:46 1392125206.17750 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:45 1392125205.17749 ********* Wait 100 ANSWERED 08:34
2014-02-11 13:26:44 1392125204.17748 ********* Wait 100 ANSWERED 00:25
2014-02-11 13:26:43 1392125203.17747 ********* Wait 100 ANSWERED 08:31
2014-02-11 13:26:42 1392125202.17746 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:41 1392125201.17745 ********* Wait 100 ANSWERED 08:33
2014-02-11 13:26:40 1392125200.17744 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:39 1392125199.17743 ********* Wait 100 ANSWERED 08:37
2014-02-11 13:26:38 1392125198.17742 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:37 1392125197.17741 ********* Wait 100 ANSWERED 08:40
2014-02-11 13:26:36 1392125196.17740 ********* Wait 100 ANSWERED 08:41
2014-02-11 13:26:35 1392125195.17739 ********* Wait 100 ANSWERED 08:41
2014-02-11 13:26:34 1392125194.17738 ********* Wait 100 ANSWERED 08:43
2014-02-11 13:26:33 1392125193.17737 ********* Wait 100 ANSWERED 08:44
2014-02-11 13:26:32 1392125192.17736 ********* Wait 100 ANSWERED 08:43
2014-02-11 13:26:31 1392125191.17735 ********* Wait 100 ANSWERED 08:44
2014-02-11 13:26:30 1392125190.17734 ********* Wait 100 ANSWERED 00:24
2014-02-11 13:26:29 1392125189.17733 ********* Wait 100 ANSWERED 06:12
2014-02-11 13:26:28 1392125188.17732 ********* Wait 100 ANSWERED 08:47
2014-02-11 13:26:27 1392125187.17731 ********* Wait 100 ANSWERED 08:29
2014-02-11 13:26:26 1392125186.17730 ********* Wait 100 ANSWERED 07:02
2014-02-11 13:26:25 1392125185.17729 ********* Wait 100 ANSWERED 08:53
2014-02-11 13:26:24 1392125184.17728 ********* Wait 100 ANSWERED 08:53
2014-02-11 13:25:54 1392125154.17727 ********* Wait 100 ANSWERED 09:25
2014-02-11 13:25:23 1392125

Also in fail2ban logs I see:
[2014-02-11 13:26:54] NOTICE[24961] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:26:54] NOTICE[24961] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:02] NOTICE[24969] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:02] NOTICE[24969] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:04] NOTICE[24971] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:04] NOTICE[24971] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:06] NOTICE[24973] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:06] NOTICE[24973] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:09] NOTICE[24975] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:09] NOTICE[24975] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:10] NOTICE[24977] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:10] NOTICE[24977] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:11] NOTICE[24978] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185
[2014-02-11 13:27:11] NOTICE[24978] pbx_spool.c: Call completed to SIP/Main-SIP/0038765412185

Thanks for getting back to me.

FTP should not be open. Also check your default inbound route to make sure it disconnects all calls unless it matches a valid extension.extensions.