I took a look for that, Mysql running but blocked in the firewall. I do have a web gui but its hides the passwords + has a single login for admin with complex password. Even if they hacked the web site, they have no way of getting the passwords my configs are static in the asterisk folder. SSH is blocked.
Logs do not show any http access, secure or any other fingerprints. I am going to honeypot this box to see if I can capture there invites. John Xaccel From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Dovid Bender Sent: Sunday, June 16, 2019 6:59 PM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] Hacking John, There are a lot of factors at play for instance are you using a gui that has a known vlun? Is there mysql running on the box with a simple password? Perhaps they didnt hack your PBX but they comprised a SIP phone and once they had the credentials they made calls? Do you have a provisioning system? We have seen all of the above. Most of the compromises we are seeing these days is either via a Provisioning server or phones that are accessible on the internet with weak passwords Regards, Dovid From: j...@xaccel.net<mailto:j...@xaccel.net> Sent: June 16, 2019 18:37 To: asterisk-users@lists.digium.com<mailto:asterisk-users@lists.digium.com> Reply-to: asterisk-users@lists.digium.com<mailto:asterisk-users@lists.digium.com> Subject: [asterisk-users] Hacking Anyone know how someone can hack an asterisk box and register with every single account on the box. This box only has 3 accounts, with very complex passwords. Have VoIP blacklist setup and fail2ban… The hackers were able to make 2 calls to Cuba before my alerting system texted me. I am running asterisk 16.3 with PJSIP. This is my only box open to the outside world, a requirement for this one customer. Looked into my logs… can't find anything out of the ordinary. Any ideas ? Contact: <Aor/ContactUri..............................> <Hash....> <Status> <RTT(ms)..> ========================================================================================== Contact: 12120001001/sip:12120001001@5.79.64.23<mailto:12120001001@5.79.64.23>:9227 ee80678930 NonQual nan Contact: 848842405/sip: 848842405@5.79.64.23<mailto:848842405@5.79.64.23>:9227 031ed703ba NonQual nan Contact: 848842405/sip: 848842405@5.79.64.23<mailto:848842405@5.79.64.23>:9227 031ed703ba NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000@5.79.64.23<mailto:ghbhhm0000@5.79.64.23>:9227 959fc8fbf4 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000@5.79.64.23<mailto:ghbhhm0000@5.79.64.23>:9227 959fc8fbf4 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000@5.79.64.23<mailto:ghbhhm0000@5.79.64.23>:9228 d7bf838918 NonQual nan Contact: ghbhhm0000/sip:ghbhhm0000@5.79.64.23<mailto:ghbhhm0000@5.79.64.23>:9228 d7bf838918 NonQual nan Any helps is much appreciated. John Bittner CTO [xaccellogoemail] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405<tel:2018062602,2405> Fax: 201.806.2604<tel:2018062604> Cell: 973.390.1090<tel:9733901090> www.xaccel.net<http://www.xaccel.net/> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. ________________________________ Teach Canit xAntispam if this mail is spam: Spam<http://mx1.xantispam.net/canit/b.php?c=s&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net> Not spam<http://mx1.xantispam.net/canit/b.php?c=n&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net> Forget previous vote<http://mx1.xantispam.net/canit/b.php?c=f&i=020pz0aHc&m=a5b99ef03d9e&rlm=xaccel-net>
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users