Been hacked - Now Asterisk is still making mysterious calls

system · December 23, 2015, 11:01pm

Dear all!

Three weeks ago I found in my much larger then usual Asterisk messages log that someone was making a brute-force attache on my Asterisk server. 10 days later I found on the monthly bill from my trunk provider that the hacker was in fact successful and made 200+ EUR calls on a single day. I changed all SIP passwords and installed fail2ban, which seems working well (blocking an attacker every second day).

Unfortunately my Master.csv still shows very mysterious outgoing calls every couple of days. I can not explain these calls at all. This is an example:

“”,“asterisk”,“011442073479999”,“default”,""“asterisk”" “,“SIP/117.41.168.235-28005a28”,“SIP/ext-sip-account-5b0a4578”,“Dial”,“SIP/011442073479999@ext-sip-account,tTwW”,“2010-05-19 16:28:16”,“2010-05-19 16:28:18”,“2010-05-19 16:28:54”,38,36,“ANSWERED”,“DOCUMENTATION”,“1274286496.712”,”"

I don’t have a user “asterisk”, non of us knows this phone number, I don’t use the context “default” directly, I don’t know the IP number 117.41.168.235, and I don’t in fact understand at all this call line.

Non of the asterisk config files I am using to configure my system have been changed.

Can anyone give me a hint what this outgoing call could be?
THANKS!!

EdIII · December 23, 2015, 11:01pm

Scorched Earth.

I use virtual machines so it may be a bit easier for me… but completely destroy the entire machine that your Asterisk installation resides on … and do IT RIGHT FREAKIN NOW.

If they gained access to the system there is no telling how much access they be could gaining into other systems using the Asterisk as a stepping stone.

I don’t what version of Asterisk you are using, but the attacker could have hidden parts of his dial plan anywhere. Especially, if you are using Trixbox, FreePBX, etc. They have includes all over the place reading other files and adding them to the dialplan.

You mention that you don’t have that “user”. Have you directly checked the sip.conf file, or are you relying on a GUI for information?

What you really need to do is wipe that whole system clean and do a fresh install. It’s the only way to be really sure.

Additionally, if you have no sip phones connecting from the outside, you need to use your firewall (not just fail2ban) and white list all the SIP traffic. Leave RTP completely open. Completely block of all IAX traffic from the outside as it is not safe, and afaik, IAX still has vulnerabilities. If you need IAX tunnels between locations, use VPN, or restrict your IAX traffic to those IP addresses only too.

ianplain · December 23, 2015, 11:01pm

Hi

Wiping and staring again wont solve a bruteforce attack.

firstly do a

show dialplan ext-sip-account

then

show dialplan 011442073479999@ext-sip-account

and see what you get.

Then in sip.conf see what the default context sip calls land in. and lock this down

IE unless its to a number you are expecting hang it up

Also

follow digiums security guide

Ian
www.cyber-cottage.co.uk