VoIP Hijack

Don’t really know where to post this topic. It is serious. I for sure don’t know if the vulnerability lies within the Asterisk system or Freepbx I need some clarification here. This is my story: I am not a programmer but just an integrator.
I became a victim of VoIP hijack by unscrupulous humans that used my trunks to generate calls to certain area codes in the USA (313). I thought I should share this with the community. So as you are deploying your VoIP platform you need to take all the necessary measures in ensuring that your servers are secured. I am using Freepbx 2.5.1 in a productive environment. Fortunately for me, I got a call from a gentle man that is already aware of the vulnerability that VoIP platforms have to tell me that my server has been hijacked and I should stop asking people of credit cards numbers. Hmmmmm innocent that I was made me stunned. I started arguing with him that it couldn’t have been my servers, so I was curious to know how in God’s name can someone hijack my EXTENSIONS to use them to lunch calls through my trunks to several hundreds of people within certain period. I decided to investigate.

sip show peers …found that my extensions were hijacked bearing an external IP address that could be a camouflaged. Tracing it will be waste of time. From the little I know I think your extensions should have your local IP address. example 192.168.XXX.XXX or 10.XX.XX.XX blablabla.

Steps I took:

I immediately disabled the trunk…with that you could see the calls been lunched in the CLI and your server will return all circuits are busy now.

Then I reconfigured my router allowing what was needed to allow media and signalling go through.
Ports: 5060-5061 and 10001-20000 all UDP

At this time amportal restart will not help.

The best option is to reboot your your router and wait for your extensions to re-register and I think you are good for the moment.

I monitored the server for 2hrs with tail -f /var/log/asterisk/full thinking the steps I took will help.

Wondering where and how the attack was made…will really send some light to us…need help

You have several options to secure your system, more than likely your sip secrets where too weak. If your machine is open to the internet you must use very strong SIP secrets in the extensions.

There are also scripts to use fail2ban with Asterisk. This program will automatically make an iptables entry to block the IP address of any host who attempts to register with three failed attempts.

The hacking software that was most likely used quickly enumerates the extensions then begins a brute force attack on the secrets.

SkykingOH probably hit the nail on the head, however, your question leads me to wonder a few other things.

You mentioned “think your extensions should have your local IP address.”…
do you have any remote users? If so, this wouldn’t be true.

If you do not, do you allow anonymous calls in via a SIP URL? If you do, and you have your inbound trunks incorreclty setup like in this "I hope you didn’t example) It could be you are sending anonmous sip calls to a DISA extension, which would be bad for obvious reasons… only saying this to illustrate that the problem could have nothing to do with passwords, and everything to do with implementation.

If you do not have, or do not intend, to do either of the above, they the best course of action would be to firewall those ports (5060 for sip, and any other web enabled ports, such as admin interfaces, or SCCP ports if you use it, WEBMIN especially, etc) from ANYWHERE exxcept your sip provider, and from your internal network. That would eliminate this issue.

Note: At this time, I would be sure you have the web interface BLOCKED from anywhere except your lan, change ALL of your passwords, including asterisk/mysql/managers, etc and verify you have (or change) your sip passwords to something string, as SkykingOH probably hit it on square on the nose with it being a bad password type of connection, but it could be in your freepx interface if you did not secure it correctly.
Oh, and you probably should change your root and SSH passwords to be more secure as well at this point, just to be safe.
One more thing to check is that there isn’t a few dummy extensions setup in you system now, that weren’t there before… if they have a valid password and account, that you don’t recognize, even if you change everyone elses password to a secure password, they would still be able to use your pbx.

Fault should never be on the software, if the user uses a password of “1234” or “4321” or “god” or something simple to hack in mere seconds, the problem would be in implementation and security policies.

Anyway, just wanted to bring those points up to hopefully lead do you down the road of having a more secure environment while you are resoving the issue you are hving.

Will implement your recommendations.
I allowed anonymous calls and my extensions secrets were just the same as extension numbers.

Thanks for the tips

I have an asterisk 1.6 system with freepbx 2.5 on top. I have 2 grandstream 286 ATAs (one for home cordless phone and one for a fax machine), as well as a snom300 for my soho. I had not been aware of the security concern, and while I did not have the extension as the password (as the OP did), it was a short password, so I’ve changed all 3 sip secrets to be much longer. I also think I want to install fail2ban too (not just for the voip aspect.)

Extension secrets should ALWAYS be some ungodly random string of crap, not a number, common word or pattern. The only person who ever normally enters them is the admin for the system and they need to do it twice. Once at the system when creating the extension and the second time when configuring the extension. The 5 extra seconds of time to do it right saves a ton of time and money down the road.

the SIP port should only be opened to the world if and when needed. Securing it with proper firewall rules if at all possible. i.e. don’t allow ANY when all you really need is to allow a specific IP or range.

It is also possible to restrict valid connections via permit, deny, and mask. It’s been a issue and known since the 2004 Astracon gathering. Go here: http://www.asteriskguru.com/downloads/asterisk_stability_and_security.ppt and start by taking a look at slide 40 and past that. It gives you guidelines on what to do and how to lock things down.

This page covers the installation and use of fail2ban on Asterisk boxes running under CentOS/Redhat or Debian/Ubuntu:

Why can’t you use yum to install fail2ban under CentOS/Redhat? You can if you want to, see:

All the above are well-advised suggestions.
I can tell you from my own painful experience, see discussion of this topic here

In my case, I only had port 5060 open via the router, and yes the pirates used my system for something similar as they did yours.
My solution was to close port 5060 at the router and change passwords internally.