Like an idiot I left my system with the default usernames and passwords while working out bugs and testing…
Anyway… FreePBX 2.9.0.7 Asterisk 1.6.2.17.3.
This morning I noticed some calls originate from my PBX, these calls went to what sounds like a Modem on free call numbers.
These calls originated from a phone or ext I have in my garage ext 106 but have no Source number listed in the Call Detail reports within the Reports tab so I am guessing someone from the outside got in my system and tried to make some calls to either hack a bank system or worse.
Now I went into the advanced settings tab and changed out FOP Password, User Portal Admin Username and password. Is there something else I should change out? any other help you can give me to secure this system down tight to stop this from happening?
I have looked around on here to help with this but I am finding so much conflicting data on version do’s and dont’s it is confusing. Right now I am searching on the Default Asterisk Manager Password Used issue but I thought I already changed that!
If a dev see’s this, please make it easier to change all this in one hit rather then going here and looking for this and going there and changing that…
Anyway, I am kinda nervous about this and I do not want to take my machine offline for a long period but I feel I might have to if I can’t close the hole.
one other thing I also did was to trunks and change CID Options to Block Foreign Cids hoping this will stop any non-valid CIDs from entering my system.
OK the simple question is how did you get that version and not create fresh passwords from the install?
Are you sure the box was only breeched from a SIP perspective and not that someone logged into the box via SSH ??
You can run last -a to see if thats possibly what happened.
You can fish through the files and reset passwords and make a checklist of everything you need to reset, but depending on my first question I would say this:
Install from scratch ( after backing up all your settings ) do a restore, then confirm everything is utilizing your new passwords, if not change them and now you have a box which hasn’t been comprimised and works.
I did an install from a Distro I got off of this site and did some yum updates and got to this version.
I guess I did not even think anyone would be able to get access to the server as I do not have any ports to the server open but the standard ports for SIP on my router.
Stupid I know and I should have done it from the start but wanted to make sure everything was fine and dandy before I made too many changes.
All passwords are changed now and working ok, I shall run the command above to see what has happened.
I am still a bit of a Linux noob and also a FreePBX noob but I am learning so much in the process.
Thanks for your reply…
They port scan for everything, depending on what that hacker wants, lets say simply to try to steal SIP access, the scan for sip, once they find that they hit the box with standard passwords for users then dictionary attacks until they find a working user id and password, after that they start the calls.
There are pros and there are rookies, a rookie may make a few calls, but a pro will have you making hundreds of calls at once.
Interstingly, your fail2ban from this distro should have stopped them, but if they guessed the password in the first try it wouldnt have caught it.
OK to clear this up because I’m confused, you downloaded the ISO image, ran that and it downloaded the rest and started the process right?
After that you should have received a screen asking for 4 passwords, what did you type there??? that should have been something unique, there is no way for it to be the “default” password.
Developers, help me out here, but this makes no sense right?
I downloaded and installed the distro, from what I can recall it only gave me the option to change one or set up a password for the root user which is not an easy password for anyone to guess or hack, it is upper and lower case letters with numbers.
The standard admin user I changed but amportal passwords with the standard amp111 was still in the system and the FOP not that its important was left unchanged.
Now they are all changed, I am just confused how someone could get it and the weird thing is My Last name was in the Reports as the Clid… But that is not my Clid as it contains my last,first and phone number depending on the DID I am using. Blank source and short connection times and both to Modems.
It was off a Distro that I have had for about 4 or 5 months. If I knew how to get the info off of the distro… hold on let me boot from it…
The distro I have loads Asterisk 1.6 and freepbx option 1
Asterisk 1.4 and freepbx option 2
Asterisk 1.6 and asterisk-gui option 3
Asterisk 1.4 and asterisk-gui option 4
Asterisk 1.6 only option 5
Asterisk 1.4 only option 6
I stayed with the 1.6 version as 1.8 or the later version does not like my Cisco 7960’s
In the Future use this link http://www.freepbx.org/freepbx-distro
use the orange button version… that the best way to install and secure the box before you even finish the install.
This version also has built in security features to prevent brute force attacks.
Also never use simple passwords for the extensions…
Thanks, some useful information. I may just go ahead and install the latest version and hope I can get my Ciscos working on it…
Will also change the EXT passwords as they are easy. Stupid stupid. Learn as we go.
Yep, something must be wrong with this distro! it complains about dahdi that I asked for? I did not ask for anything, so I tell it to continue and it craps out with "There was an error with your transaction, for the following reason: File Conflicts.
How do you get a file conflict on an automated install from scratch?
No worries, wow I can tell you that is the easiest install I have ever done. But there is an issue I did notice someone mention earlier in a post about this new distro.
When the install is complete, if you do not clear your cookies and cache you will not see the screen to change your passwords. I had to use my Motorola Xoom and add a new browser to it to even see the screen, then I was like OHH, no wonder I could not log into it as it just kept taking me to the default admin panel and then was asking me to log in, but of course no passwords was in the system.
Now it sports a brand new front end and looks good, nice work guys… very nice work.
Everything working off the bat almost, got all my trunks in, dids in, phones set up including my Cisco 7960’s, all that is left for me to do is set up my IVR’s and forward options to cell phones and I am done!
So pleased I was encouraged to make the upgrade, thank you all for your endless help yet again, this is one great community I am proud to be a part of.