Hacked! Password compromised


Total noob so forgive any holes in my explanation/rambling inelegance.

Bit of backstory – the company I work for had Asterisk VOIP with FreePBX installed on CentOS 5.5 last year by a local firm with whom we didn’t take out a maintenance contract. I was subsequently tasked with learning enough about the system to add new phones to it (I’m not a techie of any sort, but there you go). So, my experience until last week was limited to accessing FreePBX GUI via a browser to add extensions as the company I work for grew. We don’t have any users of the system outside our offices, by the way.

Over Christmas our VOIP was hacked and a bill of £1000 run up by the hackers. We got the people who installed the system involved, and they told us that VOIP had been cracked in one attempt, therefore it was almost certain that our password (an alphanumeric) had been leaked to a third party by someone within our company. I’d like to point out now, the system installers had assigned the same password to everything – the Linux login, the router, web admin, SIP secrets etc.
They (the sys installers) have now changed the root, manager, ARI and portal passwords, and the SIP secret for the extension that was hacked. They’ve also changed the ‘permit’ option of that extension to only allow one IP address.

Like I say, I’m a noob, so I don’t want to criticise the guys’ work without hearing some more qualified opinions first. Basically, I’d like to change the SIP secrets for ALL our extensions, as they are currently the same as the password that was compromised. I’m unsure of how to effectively do this through the web GUI (typing in a new password just puts that extension out of action).
Any help would be much appreciated.

I’d also welcome any opinions on whether the system installers should have tightened security more than they did after the hack. After their password changes I was still able to SSH into the VOIP server as root using the old, compromised password (I rang the guys and they said this was unimportant – I’ve since changed it anyway), and every extension in the building bar one still has it as their SIP secret. Is this acceptable practice? We’ve just been invoiced a rather hefty bill for “security optimisation,” so I’d like to know that that’s what we’re paying for! I’m also wondering why they only changed the ‘permit IP’ option on the one extension (I’ve since applied this to every extension)

All opinions will be gratefully received.

Any “security expert” that leaves an old compromised root password unchanged is not worth having arround let alone pay large sums of money to “enhance security” on the Asterisk server.

My suggestion would be:

  • immediately put the Asterisk behind a firewall, let in only the traffic that is ugently necesarry
  • immediately change all extension passwords with new ones! (via WebGUI is ok)
  • change the root password !!!
  • optionally deny root access to the machine via SSH and use pubkey authentication

Asterisk is a very powerfull tool, but you have to secure it right :wink:

The phone passwords will also require changing directly on the phones.

Ah, of course! Didn’t think to change the password of the phone itself. Thanks very much. I’ll get cracking on the firewall too.

As for the “security experts” I did suspect they were dragging their feet somewhat. What I’m not sure about, though, is the root access of the server. If I log on to it as user ‘root’ at the box itself, the password has indeed been updated as the chaps said. But if I SSH to its IP from my workstation as user ‘root’, the password was unchanged (I have now changed it though). Why the discrepancy? This was the thing that concerned me the most, yet the system installers dismissed my concern as though that access was irrelevant. The conversation went like this:
“Oh yeah, we haven’t changed that. Change it yourself if you like, do you know how to do that?”
“Umm, I might be able to figure it out, but –”
“Ok great, bye!”

Their customer service leaves a lot to be desired!

Anyway, thanks for the tips. Guess I have a lot to learn.

First thing, your box wasnt really hacked. More like hijacked. You have your system configure to allow access to the system from the outside world. If you do not need the system to be accessible from the outside world then you must no allow access to it. Also create complicated passwords. The person was able to send a small dictionary attack at your IP because the port 5060 was open. Then they just sent request after request like username = 100 password = 100, username = 101 password = 101
until they were allowed access to the system. So please dont do that. There are lots of threads about a system being hacked especially over the last week. If you do a search in the forums you will see many of the same responses from the same people saying the same thing. Allow/Deny - real important it makes sure that people can only login to the system on that extension from your network. Fail2ban and IPTABLES rules to slow or stop people from trying these attacks. Also look at my signature and you will see some more info on Asterisk and Security!