Asterisk box hacked - help

Dear Asterisk users,

I think my box is hacked. Several people from Louisiana called me to ask if I called. It seems like a computer system is calling them from my box. How can I know for sure? My call logs seem to be down and looking at the Asterisk log file it seems like the call is coming from my box or at least I can find the Louisiana peoples number in the log.

I would very much appreciate any advice at this point: how to find the identity of the hacker and how to stop/prevent this.

Thanks for your help in advance.

elvisk

is your box connected to the internet? You may want to take it off the internet while you are trying to figure out what is going on. Also are you using DISA? If so please get rid of that feature or at least use authenticate with a good long password, and if you are using DISA please make it hard to find. You can run a root kit to see if and how the person got in.

riddlebox,

Thanks for the response. The box is off-line and I do have disa running, but with a very long password. It’s been fine for two years and all of sudden this happened at 4:30ish today.

It seems like there is a bot in the box or a bot that is external to my network mimicking an extension dialing numbers every few minutes. Is there anyway to check if the compromise is internal (on the box) vs. outside of my network and mimicking an extension?

When you say run a rootkit, do you mean use a rootkit detector?

Thanks.

Elvisk

Hi

Check you IVR menus if you have any.

a quick look at the CDR records may show it. also run sip debug if its sip calls.

Ian

If you have short passwords on your extensions, they likely have registered as one of them and made calls out of them. See this thread:

forums.digium.com/viewtopic.php?t=64602

This type of thing are often dialthrough.

Basicly its easy to set your self up for it…

for example

[code][pstn-in]

exten => 1234,1,Noop(ivr)
ETC ETC

include=phones ;to allow direct calls to extensions

[phones]

exten = 3000,1,Dial(SIP/3000)

ETC ETC

include=outdial ; so phones can make calls[/code]

now if for example all outbound calls are prefixed with a 9 then at the IVR you just have to dial 90123412345 and out you go.

the show dialplan command is a very useful tool for showing backdoors in the dialplan, so show dialplan pstn-in would show that 90123412345 can be dialed.

in an IVR always have a i , t and h extension and if possible no includes use Gotos instead.

If its direct sip calls then they dont even need to log on, its perfecty possible on a misconfigured box similar to abouve to just send 901234123456@serverip.com to make a outbound call. make sure that SIP and IAX unregistered calls are directed to a context that can do very little

IAn

Good tip - can you explain briefly how to set where unregistered sip calls go? Would that be in the [general] settings?

Under the general settings in sip.conf you have context=. If in that context you have outbound calling enabled in that context then they can make calls. You can either set that any calls from that context just get hung up on or you can set allowguest=no.