asterisk users - Nov 2010 - Someone has hacked into our system

Someone has hacked into our system and is making calls overseas.  
How can I:

1. Find out the where the calls are originating from?
2. Block all calls that are not authorized?

Our system is in the USA.
Only calls from inside our LAN are allowed.

Thank you,

Gary Kuznitz


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101122/d91d5df6/attachment.htm

_____  

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Gary Kuznitz 
Sent: Monday, November 22, 2010 10:23 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] Someone has hacked into our system

 

Someone has hacked into our system and is making calls overseas.  

How can I:

 

1. Find out the where the calls are originating from?

2. Block all calls that are not authorized?

 

Our system is in the USA.

Only calls from inside our LAN are allowed.

 

Thank you,

 

Gary Kuznitz

 

For #1, start with the CDR.  You know that X is calling an overseas number.
Determine who X is (or is supposed to be)

For #2 (and the rest of #1) restrict your dialing access to a known set of
IP's.  If you have 5 phones (softphones or actual handsets), block
everything that doesn't start with those 5 IP addresses.

 

The first thing I would do is to change all of your passwords in sip.conf
and do a sip reload.  That will slow down or temporarily stop the hacker.  

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101122/63a29575/attachment.htm

Thank you very much for help in finding the log.

I have the log now. I'd like to know what to look for in trying to figure
out how the
calls are getting originated. I'd be happy to shere all the information. I
just don't
want to post information on this public list that might show other people how to
get in
to our box.

Thanks you,

Gary Kuznitz



On 22 Nov 2010 at 13:11, Danny (Danny Nicholas <danny at debsinc.com>)
commented
about RE: [asterisk-users] Someone has hacked into our :



From: Gary Kuznitz [mailto:docfxit at theoffice.la] 
Sent: Monday, November 22, 2010 12:20 PM
To: Danny Nicholas
Subject: Re: [asterisk-users] Someone has hacked into our system


Thank you for the quick response.

Comments below...

I am not familiar with navigating Asterisk. Would you please help me understand
how
to see the CDR?

Thank you,

Gary Kuznitz

By default, Asterisk keeps the CDR as a "flat-file" in
/var/log/asterisk/cdr-csv/Master.csv
which you can open in Excel for easy viewing. If you have a custom cdr (see 
/etc/asterisk/cdr.conf or /etc/asterisk/cdr_custom.conf for more information),
your CDR
might be stored in a MYSQL table or some other place.I would start under the
assumption
that you have the flat file available.Once you have it open, use this link as a
guide
http://www.voip-info.org/wiki/view/Asterisk+cdr+csv

Fields 
*   accountcode: What account number to use: Asterisk billing account, (string,
20
    characters) 
*   src: Caller*ID number (string, 80 characters) 
*   dst: Destination extension (string, 80 characters) 
*   dcontext: Destination context (string, 80 characters) 
*   clid: Caller*ID with text (80 characters) 
*   channel: Channel used (80 characters) 
*   dstchannel: Destination channel if appropriate (80 characters) 
*   lastapp: Last application if appropriate (80 characters) 
*   lastdata: Last application data (arguments) (80 characters) 
*   start: Start of call (date/time) 
*   answer: Answer of call (date/time) 
*   end: End of call (date/time) 
*   duration: Total time in system, in seconds (integer) 
*   billsec: Total time call is up, in seconds (integer) 
*   disposition: What happened to the call: ANSWERED, NO ANSWER, BUSY, 
    FAILED 
*   amaflags: What flags to use: see amaflags::DOCUMENTATION, BILL, IGNORE 
    etc, specified on a per channel basis like accountcode. 
You will want to see if there are any "peculiar" src fields on your
international calls (dst).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: WPM$68B7.PM$
Type: application/octet-stream
Size: 14868 bytes
Desc: Mail message body
Url :
http://lists.digium.com/pipermail/asterisk-users/attachments/20101122/5520116c/attachment-0001.obj

Use IPTables to lock down your machine to only accept incoming connections from
your local network and from the particular IPs that you are expecting
connections from (such as your SIP trunk, maybe).

That is of course assuming that these calls are made by SIP.

Don't forget to also change all the passwords.

From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces
at lists.digium.com] On Behalf Of Gary Kuznitz
Sent: Monday, November 22, 2010 8:23 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] Someone has hacked into our system

Someone has hacked into our system and is making calls overseas.
How can I:

1. Find out the where the calls are originating from?
2. Block all calls that are not authorized?

Our system is in the USA.
Only calls from inside our LAN are allowed.

Thank you,

Gary Kuznitz


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101122/a095d693/attachment.htm

Hi Gary,

 

I went through this process a few times over the past few years.

Theres a few short guides for securing Asterisk, but much of it depends
on your design.  If it's a traditional POTs-type PBX then locking down
IPs using firewalls is a great thing, however if you make use of
inbound-SIP calls from end-user PC clients on the Internet then that's
not always possible.

 

So heres my recommendations:

 

1) Change the default context name to something like "publicinbound".

2) Create a context called publicinbound that does basically nothing.

3) Setup a different context for an peer or friend IAX or SIP, or
whatever. That way you can see which connection the hackers coming in
from.

4) If you don't want to firewall off the whole internet, then at least
make use of fail2ban - it's a free scripted addon that watches for
hacking attempts and firewalls them off.

5) Really really long passwords and usernames - this ones pretty key.
My first task was in going through and understanding where all the
passwords were and changing them.  I now make mine completely random and
a min of 30 chars.

6) IP restrictions. If a peer or user does have a fixed IP, then define
it in the appropriate config file.

7) The alwaysauthreject is good.. helps fumble the hackers.

 

 

 

Thanks,

 

Adrian

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101125/e454620a/attachment.htm

One thing we did to secure remote users is to use SNOM370s and OpenVPN..

--
Singer XJ Wang, Senior System and Database Administrator
The Pythian Group - love your data
http://www.pythian.com
Desk: (613) 565-8696 x298
Cell: (613) 266-3763



On Thu, Nov 25, 2010 at 12:33, Adrian Marsh <Adrian.Marsh at
ubiquisys.com>wrote:
> Hi Gary,
>
>
>
> I went through this process a few times over the past few years.
>
> Theres a few short guides for securing Asterisk, but much of it depends on
> your design.  If it?s a traditional POTs-type PBX then locking down IPs
> using firewalls is a great thing, however if you make use of inbound-SIP
> calls from end-user PC clients on the Internet then that?s not always
> possible.
>
>
>
> So heres my recommendations:
>
>
>
> 1) Change the default context name to something like
"publicinbound".
>
> 2) Create a context called publicinbound that does basically nothing.
>
> 3) Setup a different context for an peer or friend IAX or SIP, or whatever.
> That way you can see which connection the hackers coming in from.
>
> 4) If you don?t want to firewall off the whole internet, then at least make
> use of fail2ban - it?s a free scripted addon that watches for hacking
> attempts and firewalls them off.
>
> 5) Really really long passwords and usernames - this ones pretty key.   My
> first task was in going through and understanding where all the passwords
> were and changing them.  I now make mine completely random and a min of 30
> chars.
>
> 6) IP restrictions. If a peer or user does have a fixed IP, then define it
> in the appropriate config file.
>
> 7) The alwaysauthreject is good.. helps fumble the hackers.
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Adrian
>
>
>
>
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
--
The best compliment you could give Pythian for our service is a referral.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101125/2202b127/attachment.htm