Re: [asterisk-users] Hacking

2019-06-16 Thread John T. Bittner 
I took a look for that, Mysql running but blocked in the firewall.
I do have a web gui but its hides the passwords + has a single login for admin 
with complex password.
Even if they hacked the web site, they have no way of getting the passwords my 
configs are static in the asterisk folder.
SSH is blocked.

Logs do not show any http access, secure or any other fingerprints.

I am going to honeypot this box to see if I can capture there invites.

John
Xaccel



From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On Behalf 
Of Dovid Bender
Sent: Sunday, June 16, 2019 6:59 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion 

Subject: Re: [asterisk-users] Hacking

John,

There are a lot of factors at play for instance are you using a gui that has a 
known vlun? Is there mysql running on the box with a simple password? Perhaps 
they didnt hack your PBX but they comprised a SIP phone  and once they had the 
credentials  they made calls? Do you have a provisioning system?

We have seen all of the above. Most of the compromises we are seeing these days 
is either via a Provisioning server or phones that are accessible on the 
internet with weak passwords




Regards,

Dovid
From: j...@xaccel.net
Sent: June 16, 2019 18:37
To: asterisk-users@lists.digium.com
Reply-to: 
asterisk-users@lists.digium.com
Subject: [asterisk-users] Hacking


Anyone know how someone can hack an asterisk box and register with every single 
account on the box.
This box only has 3 accounts, with very complex passwords. Have VoIP blacklist 
setup and fail2ban…

The hackers were able to make 2 calls to Cuba before my alerting system texted 
me.

I am running asterisk 16.3 with PJSIP.

This is my only box open to the outside world, a requirement for this one 
customer.
Looked into my logs… can't find anything out of the ordinary.


Any ideas ?



  Contact: 

==

  Contact:  
12120001001/sip:12120001001@5.79.64.23:9227
ee80678930 NonQual nan
  Contact:  848842405/sip: 
848842405@5.79.64.23:9227  
031ed703ba NonQual nan
  Contact:  848842405/sip: 
848842405@5.79.64.23:9227  
031ed703ba NonQual nan
  Contact:  
ghbhhm/sip:ghbhhm@5.79.64.23:9227  
959fc8fbf4 NonQual nan
  Contact:  
ghbhhm/sip:ghbhhm@5.79.64.23:9227  
959fc8fbf4 NonQual nan
  Contact:  
ghbhhm/sip:ghbhhm@5.79.64.23:9228  
d7bf838918 NonQual nan
  Contact:  
ghbhhm/sip:ghbhhm@5.79.64.23:9228  
d7bf838918 NonQual nan

Any helps is much appreciated.


John Bittner
CTO
[xaccellogoemail]
380 US Highway 46, Suite 500
Totowa, NJ 07512
Phone: 201.806.2602 x2405
Fax:   201.806.2604
Cell:   973.390.1090
www.xaccel.net

CONFIDENTIALITY NOTICE:
This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain confidential
and privileged information which should not be shared or forwarded. Any 
unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender 
by reply e-mail and destroy all copies of the e-mail.




Teach Canit xAntispam if this mail is spam:
Spam
Not 
spam
Forget previous 
vote
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] [OFF LIST] Re: Hacking

2019-06-16 Thread Dovid Bender 
oops. that was supposed to be off list.


On Sun, Jun 16, 2019 at 7:07 PM Dovid Bender  wrote:

> John,
>
> I spoke about security last year at Astricon [1]. If I had to guess
> without even knowing what your setup is I would say they either got in via
> an insecure phone (either default pass or one with a known security issue)
> or via  a provisioning server. If you want I can help poke around your
> system tomorrow to see if we can figure out how they get in.
>
> Regards,
>
> Dovid
>
>
> [1] https://www.youtube.com/watch?v=9Wzzlo1kfTQ=1s
>
> On Sun, Jun 16, 2019 at 6:37 PM John T. Bittner  wrote:
>
>> Anyone know how someone can hack an asterisk box and register with every
>> single account on the box.
>>
>> This box only has 3 accounts, with very complex passwords. Have VoIP
>> blacklist setup and fail2ban…
>>
>>
>>
>> The hackers were able to make 2 calls to Cuba before my alerting system
>> texted me.
>>
>>
>>
>> I am running asterisk 16.3 with PJSIP.
>>
>>
>>
>> This is my only box open to the outside world, a requirement for this one
>> customer.
>>
>> Looked into my logs… can't find anything out of the ordinary.
>>
>>
>>
>>
>>
>> Any ideas ?
>>
>>
>>
>>
>>
>>
>>
>>   Contact:   
>>  
>>
>>
>> ==
>>
>>
>>
>>   Contact:  12120001001/sip:12120001001@5.79.64.23:9227ee80678930
>> NonQual nan
>>
>>   Contact:  848842405/sip: 848842405@5.79.64.23:9227
>> 031ed703ba NonQual nan
>>
>>   Contact:  848842405/sip: 848842405@5.79.64.23:9227
>> 031ed703ba NonQual nan
>>
>>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4
>> NonQual nan
>>
>>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4
>> NonQual nan
>>
>>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918
>> NonQual nan
>>
>>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918
>> NonQual nan
>>
>>
>>
>> Any helps is much appreciated.
>>
>>
>>
>>
>>
>> John Bittner
>>
>> CTO
>>
>> [image: xaccellogoemail]
>>
>> 380 US Highway 46, Suite 500
>>
>> Totowa, NJ 07512
>>
>> Phone: 201.806.2602 x2405
>>
>> Fax:   201.806.2604
>>
>> Cell:   973.390.1090
>>
>> www.xaccel.net
>>
>>
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
>> is for the sole use of the intended recipient(s) and may contain
>> confidential and privileged information which should not be shared or
>> forwarded. Any unauthorized review, use, disclosure or distribution is
>> prohibited. If you are not the intended recipient, please contact the
>> sender by reply e-mail and destroy all copies of the e-mail.*
>>
>>
>> --
>> _
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] [OFF LIST] Re: Hacking

2019-06-16 Thread Dovid Bender 
John,

I spoke about security last year at Astricon [1]. If I had to guess without
even knowing what your setup is I would say they either got in via an
insecure phone (either default pass or one with a known security issue) or
via  a provisioning server. If you want I can help poke around your system
tomorrow to see if we can figure out how they get in.

Regards,

Dovid


[1] https://www.youtube.com/watch?v=9Wzzlo1kfTQ=1s

On Sun, Jun 16, 2019 at 6:37 PM John T. Bittner  wrote:

> Anyone know how someone can hack an asterisk box and register with every
> single account on the box.
>
> This box only has 3 accounts, with very complex passwords. Have VoIP
> blacklist setup and fail2ban…
>
>
>
> The hackers were able to make 2 calls to Cuba before my alerting system
> texted me.
>
>
>
> I am running asterisk 16.3 with PJSIP.
>
>
>
> This is my only box open to the outside world, a requirement for this one
> customer.
>
> Looked into my logs… can't find anything out of the ordinary.
>
>
>
>
>
> Any ideas ?
>
>
>
>
>
>
>
>   Contact:   
>  
>
>
> ==
>
>
>
>   Contact:  12120001001/sip:12120001001@5.79.64.23:9227ee80678930
> NonQual nan
>
>   Contact:  848842405/sip: 848842405@5.79.64.23:9227
> 031ed703ba NonQual nan
>
>   Contact:  848842405/sip: 848842405@5.79.64.23:9227
> 031ed703ba NonQual nan
>
>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4
> NonQual nan
>
>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4
> NonQual nan
>
>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918
> NonQual nan
>
>   Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918
> NonQual nan
>
>
>
> Any helps is much appreciated.
>
>
>
>
>
> John Bittner
>
> CTO
>
> [image: xaccellogoemail]
>
> 380 US Highway 46, Suite 500
>
> Totowa, NJ 07512
>
> Phone: 201.806.2602 x2405
>
> Fax:   201.806.2604
>
> Cell:   973.390.1090
>
> www.xaccel.net
>
>
>
>
>
>
> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information which should not be shared or
> forwarded. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the e-mail.*
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Hacking

2019-06-16 Thread Dovid Bender 
  John,There are a lot of factors at play for instance are you using a gui that has a known vlun? Is there mysql running on the box with a simple password? Perhaps they didnt hack your PBX but they comprised a SIP phone  and once they had the credentials  they made calls? Do you have a provisioning system?We have seen all of the above. Most of the compromises we are seeing these days is either via a Provisioning server or phones that are accessible on the internet with weak passwords Regards,Dovid   From: j...@xaccel.netSent: June 16, 2019 18:37To: asterisk-users@lists.digium.comReply-to: asterisk-users@lists.digium.comSubject: [asterisk-users] Hacking  
Anyone know how someone can hack an asterisk box and register with every single account on the box.
This box only has 3 accounts, with very complex passwords. Have VoIP blacklist setup and fail2ban…
 
The hackers were able to make 2 calls to Cuba before my alerting system texted me.
 
I am running asterisk 16.3 with PJSIP.
 
This is my only box open to the outside world, a requirement for this one customer.
Looked into my logs… can't find anything out of the ordinary.
 
 
Any ideas ?
 



 
  Contact: 
==
 
  Contact:  12120001001/sip:12120001001@5.79.64.23:9227    ee80678930 NonQual nan
  Contact:  848842405/sip: 848842405@5.79.64.23:9227  031ed703ba NonQual nan
  Contact:  848842405/sip: 848842405@5.79.64.23:9227  031ed703ba NonQual nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4 NonQual nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4 NonQual nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918 NonQual nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918 NonQual     nan
 
Any helps is much appreciated.
 
 
John Bittner
CTO

380 US Highway 46, Suite 500
Totowa, NJ 07512
Phone: 201.806.2602 x2405
Fax:   201.806.2604
Cell:   973.390.1090
www.xaccel.net
 
CONFIDENTIALITY NOTICE:
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential
and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail.
 

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Hacking

2019-06-16 Thread John T. Bittner 
Anyone know how someone can hack an asterisk box and register with every single 
account on the box.
This box only has 3 accounts, with very complex passwords. Have VoIP blacklist 
setup and fail2ban...

The hackers were able to make 2 calls to Cuba before my alerting system texted 
me.

I am running asterisk 16.3 with PJSIP.

This is my only box open to the outside world, a requirement for this one 
customer.
Looked into my logs... can't find anything out of the ordinary.


Any ideas ?




  Contact: 

==

  Contact:  12120001001/sip:12120001001@5.79.64.23:9227ee80678930 NonQual   
  nan
  Contact:  848842405/sip: 848842405@5.79.64.23:9227  
031ed703ba NonQual nan
  Contact:  848842405/sip: 848842405@5.79.64.23:9227  
031ed703ba NonQual nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4 NonQual   
  nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9227  959fc8fbf4 NonQual   
  nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918 NonQual   
  nan
  Contact:  ghbhhm/sip:ghbhhm@5.79.64.23:9228  d7bf838918 NonQual   
  nan

Any helps is much appreciated.


John Bittner
CTO
[xaccellogoemail]
380 US Highway 46, Suite 500
Totowa, NJ 07512
Phone: 201.806.2602 x2405
Fax:   201.806.2604
Cell:   973.390.1090
www.xaccel.net

CONFIDENTIALITY NOTICE:
This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain confidential
and privileged information which should not be shared or forwarded. Any 
unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender 
by reply e-mail and destroy all copies of the e-mail.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users