Anyone know how someone can hack an asterisk box and register with every single account on the box. This box only has 3 accounts, with very complex passwords. Have VoIP blacklist setup and fail2ban... The hackers were able to make 2 calls to Cuba before my alerting system texted me. I am running asterisk 16.3 with PJSIP. This is my only box open to the outside world, a requirement for this one customer. Looked into my logs... can't find anything out of the ordinary. Any ideas ? Contact: <Aor/ContactUri..............................> <Hash....> <Status> <RTT(ms)..> ========================================================================================= Contact: 12120001001/sip:12120001001 at 5.79.64.23:9227 ee80678930 NonQual nan Contact: 848842405/sip: 848842405 at 5.79.64.23:9227 031ed703ba NonQual nan Contact: 848842405/sip: 848842405 at 5.79.64.23:9227 031ed703ba NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227 959fc8fbf4 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227 959fc8fbf4 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228 d7bf838918 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228 d7bf838918 NonQual nan Any helps is much appreciated. John Bittner CTO [xaccellogoemail] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405 Fax: 201.806.2604 Cell: 973.390.1090 www.xaccel.net<http://www.xaccel.net/> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/991c0542/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: image001.png URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/991c0542/attachment.png>
An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/9462e47d/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: not available URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/9462e47d/attachment.png>
John, I spoke about security last year at Astricon [1]. If I had to guess without even knowing what your setup is I would say they either got in via an insecure phone (either default pass or one with a known security issue) or via a provisioning server. If you want I can help poke around your system tomorrow to see if we can figure out how they get in. Regards, Dovid [1] https://www.youtube.com/watch?v=9Wzzlo1kfTQ&t=1s On Sun, Jun 16, 2019 at 6:37 PM John T. Bittner <john at xaccel.net> wrote:> Anyone know how someone can hack an asterisk box and register with every > single account on the box. > > This box only has 3 accounts, with very complex passwords. Have VoIP > blacklist setup and fail2ban… > > > > The hackers were able to make 2 calls to Cuba before my alerting system > texted me. > > > > I am running asterisk 16.3 with PJSIP. > > > > This is my only box open to the outside world, a requirement for this one > customer. > > Looked into my logs… can't find anything out of the ordinary. > > > > > > Any ideas ? > > > > > > > > Contact: <Aor/ContactUri..............................> <Hash....> > <Status> <RTT(ms)..> > > > =========================================================================================> > > > Contact: 12120001001/sip:12120001001 at 5.79.64.23:9227 ee80678930 > NonQual nan > > Contact: 848842405/sip: 848842405 at 5.79.64.23:9227 > 031ed703ba NonQual nan > > Contact: 848842405/sip: 848842405 at 5.79.64.23:9227 > 031ed703ba NonQual nan > > Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227 959fc8fbf4 > NonQual nan > > Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227 959fc8fbf4 > NonQual nan > > Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228 d7bf838918 > NonQual nan > > Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228 d7bf838918 > NonQual nan > > > > Any helps is much appreciated. > > > > > > John Bittner > > CTO > > [image: xaccellogoemail] > > 380 US Highway 46, Suite 500 > > Totowa, NJ 07512 > > Phone: 201.806.2602 x2405 > > Fax: 201.806.2604 > > Cell: 973.390.1090 > > www.xaccel.net > > > > > > > *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information which should not be shared or > forwarded. Any unauthorized review, use, disclosure or distribution is > prohibited. If you are not the intended recipient, please contact the > sender by reply e-mail and destroy all copies of the e-mail.* > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/4d3723c1/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: not available URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/4d3723c1/attachment.png>
oops. that was supposed to be off list..... On Sun, Jun 16, 2019 at 7:07 PM Dovid Bender <dovid at telecurve.com> wrote:> John, > > I spoke about security last year at Astricon [1]. If I had to guess > without even knowing what your setup is I would say they either got in via > an insecure phone (either default pass or one with a known security issue) > or via a provisioning server. If you want I can help poke around your > system tomorrow to see if we can figure out how they get in. > > Regards, > > Dovid > > > [1] https://www.youtube.com/watch?v=9Wzzlo1kfTQ&t=1s > > On Sun, Jun 16, 2019 at 6:37 PM John T. Bittner <john at xaccel.net> wrote: > >> Anyone know how someone can hack an asterisk box and register with every >> single account on the box. >> >> This box only has 3 accounts, with very complex passwords. Have VoIP >> blacklist setup and fail2ban… >> >> >> >> The hackers were able to make 2 calls to Cuba before my alerting system >> texted me. >> >> >> >> I am running asterisk 16.3 with PJSIP. >> >> >> >> This is my only box open to the outside world, a requirement for this one >> customer. >> >> Looked into my logs… can't find anything out of the ordinary. >> >> >> >> >> >> Any ideas ? >> >> >> >> >> >> >> >> Contact: <Aor/ContactUri..............................> <Hash....> >> <Status> <RTT(ms)..> >> >> >> =========================================================================================>> >> >> >> Contact: 12120001001/sip:12120001001 at 5.79.64.23:9227 ee80678930 >> NonQual nan >> >> Contact: 848842405/sip: 848842405 at 5.79.64.23:9227 >> 031ed703ba NonQual nan >> >> Contact: 848842405/sip: 848842405 at 5.79.64.23:9227 >> 031ed703ba NonQual nan >> >> Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227 959fc8fbf4 >> NonQual nan >> >> Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9227 959fc8fbf4 >> NonQual nan >> >> Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228 d7bf838918 >> NonQual nan >> >> Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23:9228 d7bf838918 >> NonQual nan >> >> >> >> Any helps is much appreciated. >> >> >> >> >> >> John Bittner >> >> CTO >> >> [image: xaccellogoemail] >> >> 380 US Highway 46, Suite 500 >> >> Totowa, NJ 07512 >> >> Phone: 201.806.2602 x2405 >> >> Fax: 201.806.2604 >> >> Cell: 973.390.1090 >> >> www.xaccel.net >> >> >> >> >> >> >> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, >> is for the sole use of the intended recipient(s) and may contain >> confidential and privileged information which should not be shared or >> forwarded. Any unauthorized review, use, disclosure or distribution is >> prohibited. If you are not the intended recipient, please contact the >> sender by reply e-mail and destroy all copies of the e-mail.* >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/6c62b18d/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: not available URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/6c62b18d/attachment.png>
I took a look for that, Mysql running but blocked in the firewall. I do have a web gui but its hides the passwords + has a single login for admin with complex password. Even if they hacked the web site, they have no way of getting the passwords my configs are static in the asterisk folder. SSH is blocked. Logs do not show any http access, secure or any other fingerprints. I am going to honeypot this box to see if I can capture there invites. John Xaccel From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Dovid Bender Sent: Sunday, June 16, 2019 6:59 PM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Subject: Re: [asterisk-users] Hacking John, There are a lot of factors at play for instance are you using a gui that has a known vlun? Is there mysql running on the box with a simple password? Perhaps they didnt hack your PBX but they comprised a SIP phone and once they had the credentials they made calls? Do you have a provisioning system? We have seen all of the above. Most of the compromises we are seeing these days is either via a Provisioning server or phones that are accessible on the internet with weak passwords Regards, Dovid From: john at xaccel.net<mailto:john at xaccel.net> Sent: June 16, 2019 18:37 To: asterisk-users at lists.digium.com<mailto:asterisk-users at lists.digium.com> Reply-to: asterisk-users at lists.digium.com<mailto:asterisk-users at lists.digium.com> Subject: [asterisk-users] Hacking Anyone know how someone can hack an asterisk box and register with every single account on the box. This box only has 3 accounts, with very complex passwords. Have VoIP blacklist setup and fail2ban… The hackers were able to make 2 calls to Cuba before my alerting system texted me. I am running asterisk 16.3 with PJSIP. This is my only box open to the outside world, a requirement for this one customer. Looked into my logs… can't find anything out of the ordinary. Any ideas ? Contact: <Aor/ContactUri..............................> <Hash....> <Status> <RTT(ms)..> ========================================================================================= Contact: 12120001001/sip:12120001001 at 5.79.64.23<mailto:12120001001 at 5.79.64.23>:9227 ee80678930 NonQual nan Contact: 848842405/sip: 848842405 at 5.79.64.23<mailto:848842405 at 5.79.64.23>:9227 031ed703ba NonQual nan Contact: 848842405/sip: 848842405 at 5.79.64.23<mailto:848842405 at 5.79.64.23>:9227 031ed703ba NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9227 959fc8fbf4 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9227 959fc8fbf4 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9228 d7bf838918 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000 at 5.79.64.23<mailto:ghbhhm0000 at 5.79.64.23>:9228 d7bf838918 NonQual nan Any helps is much appreciated. John Bittner CTO [xaccellogoemail] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405<tel:2018062602,2405> Fax: 201.806.2604<tel:2018062604> Cell: 973.390.1090<tel:9733901090> www.xaccel.net<http://www.xaccel.net/> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. ________________________________ Teach Canit xAntispam if this mail is spam: Spam<http://mx1.xantispam.net/canit/b.php?c=s&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net> Not spam<http://mx1.xantispam.net/canit/b.php?c=n&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net> Forget previous vote<http://mx1.xantispam.net/canit/b.php?c=f&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/48587cc5/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: image001.png URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190616/48587cc5/attachment-0001.png>
On Sun, Jun 16, 2019 at 3:37 PM John T. Bittner <john at xaccel.net> wrote:> Anyone know how someone can hack an asterisk box and register with every > single account on the box. > > This box only has 3 accounts, with very complex passwords. Have VoIP > blacklist setup and fail2ban… >I've seen this happen when web-based provisioning is used, I have seen attempts to download configuration files off of my provisioning server increase in frequency over the last two years. The 'Hacker' will do a get on /polycom /cisco /yealink /aastra /mitel etc, If they get a valid response they will start enumerating mac addresses /polycom/0004F2018101.cfg /polycom/0004F2018102.cfg ... /polycom/0004F2018109.cfg Then they will use any credentials gained in the download attack to place calls, registering as needed. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190617/766ca4c2/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: not available URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190617/766ca4c2/attachment.png>
Just to jump in on this, this just started happening to our system a couple days ago. (To the tune of 3GB of webserver access logs yesterday) Our server gives them a 403 for /yealink/ (and a 404 for everything else) - given that they're still trying to bruteforce it, it looks like I'm gonna be changing it to give them a 404. Looks like someone's making a big effort to find provisioning files though. On Mon, Jun 17, 2019, 13:35 John Kiniston <johnkiniston at gmail.com> wrote:> > > On Sun, Jun 16, 2019 at 3:37 PM John T. Bittner <john at xaccel.net> wrote: > >> Anyone know how someone can hack an asterisk box and register with every >> single account on the box. >> >> This box only has 3 accounts, with very complex passwords. Have VoIP >> blacklist setup and fail2ban… >> > > I've seen this happen when web-based provisioning is used, I have seen > attempts to download configuration files off of my provisioning server > increase in frequency over the last two years. > > The 'Hacker' will do a get on /polycom /cisco /yealink /aastra /mitel etc, > If they get a valid response they will start enumerating mac addresses > > /polycom/0004F2018101.cfg > /polycom/0004F2018102.cfg > ... > /polycom/0004F2018109.cfg > > Then they will use any credentials gained in the download attack to place > calls, registering as needed. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190618/566f8418/attachment.html>