Thanks to all. I think it was inbound IAX listening on 0/0 (I had failed to
narrow it down only to our own boxes), coupled presumably with not amply
strong password, and the IAX landing context not being secured against
outbound calls, as you say. Adaptive ban was in place, so I'm hopeful it
wasn't SSH.
Thanks again. Waiting on reports from the telco to see what the damage is...
Tom
From: David Kerr [mailto:da...@kerr.net]
Sent: 16 July 2012 14:54
To: AstLinux Users Mailing List
Subject: Re: [Astlinux-users] Hacked - please help
You would start by analyse the CDR log and looking to see from which context
the calls are originating.
Make sure that you don't have a "default" context, but if you do need it (to
receive legitimate inbound calls) then make sure that this context only
permits access to internal extensions, not any external number.
Also for every SIP extension restrict the IP address that can access them
for example...
deny = 0.0.0.0/0.0.0.0
permit = 192.168.1.0/255.255.255.0
If you have a need for an extension to connect from outside your local IP
range, then permit them on a one-by-one basis and use strong password and
consider connecting them to a more restrictive context (that, for example,
prohibits international or premium rate calls, but lets through regular
domestic calls).
Turn on adaptive ban firewall plugin.
Thats about all I can think of for now. I'm sure there is more.
David
On Mon, Jul 16, 2012 at 9:17 AM, Ron Byer Lists <ronb-li...@netweave.com>
wrote:
Sorry to hear this... A few notes from the voice of experience:
Probable cause:
hacked SIP password from an unauthorized IP address. problem could be
an overly simplistic or nonexistent SIP secret. look at your logs and
see what the source channel(s) are/is and shut that channel or channels
down by changing the SIP password. There are probably more than a single
IP address doing it, so IP blacklisting may not work... Instead can you
whitelist legit addresses and shut out the remainders ?
Longer term:
- go to IP authentication if possible.
- run a cron job every hour making sure that passwords are not missing
or too simple.
Ron
On 7/16/2012 8:59 AM, Tom Chadwin wrote:
> Hello all
>
> It's finally happened, and our Astlinux box has been compromised, with
many
> premium/unauthorized calls being made. Would someone be willing to help
out
> diagnose what happened and rectify the vulnerability? Obviously, this can
be
> paid work. If anyone is interested, and can get back to me with a quote,
I'd
> very extremely grateful.
>
> Thanks
>
> Tom
>
>
>
----------------------------------------------------------------------------
--
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
----------------------------------------------------------------------------
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
