Today I was hacked but caught it very quickly. This is the weird part, they hacked an IP Auth based account by simply knowing the account name. How is this possible? I am running Asterisk 11.5.0. Now it's my fault I used a dictionary based account name but how did they bypass the set ip I had under the account for this host. This also happened with fail2ban running and I pay for Humbug . Nothing caught it. Its just chance that I happen to be in the CLI and noticed it. In a span of 30 minutes they had made over $200 worth of calls all to the same number . Anyone have any idea on this and any ideas on preventing this. John Bittner CTO [cid:image003.png at 01CECB8D.765B3840] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405 Fax: 201.806.2604 Cell: 973.390.1090 xaccel.net<xaccel.net> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.digium.com/pipermail/asterisk-users/attachments/20131018/e16c7ea5/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 6839 bytes Desc: image003.png URL: <lists.digium.com/pipermail/asterisk-users/attachments/20131018/e16c7ea5/attachment.png>
On 18 Oct 2013, at 04:06, John T. Bittner <john at xaccel.net> wrote:> Today I was hacked but caught it very quickly. This is the weird part, they hacked an IP Auth based account by simply knowing the account name. > > How is this possible? I am running Asterisk 11.5.0. Now it?s my fault I used a dictionary based account name but how did they bypass the set ip I had under the account for this host.Did the IP show under sip show peer xxx? If it's realtime it's possible to set it and need to prune it / sip reload. Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.digium.com/pipermail/asterisk-users/attachments/20131018/cf20c595/attachment.html>
On 10/17/13 23:06, John T. Bittner wrote:> Today I was hacked but caught it very quickly. This is the weird part, > they hacked an IP Auth based account by simply knowing the account name. > > > How is this possible? I am running Asterisk 11.5.0. Now it?s my fault I > used a dictionary based account name but how did they bypass the set ip > I had under the account for this host. >Any chance your sip peer was configured like this? [accountname] host=10.9.8.7 Without seeing your settings it's quite difficult to come up with accurate possibilities of what happened. The above example will allow *all* ip addresses with no password!. Because there is no permit+deny (you need to use both)