Hacked via /tmp perl scripts

I run a PBX at my home as a pro-bono activity for a non-profit a few towns away from here with statewide employees/members that have IP phones in their homes.

A couple of days ago I detected that the PBX was being used to make overseas phone calls… which are prohibited by configuration in extensions_custom.conf so how was he able to do it?.. pretty sure I know how, but I’m getting ahead of myself.

What happened is that somehow someone was able to get in as the asterisk user, evidence shows via the Apache web server, and inserted some perl scripts into /tmp, one of which looks a lot like this…

voip-info.org/wiki/view/Bulk … g+Asterisk

… with some additions, which he (non-gender-specific “he”, used hereafter for convenience) used to execute some commands, add to my extensions.conf file, steal some passwords, and make some overseas phone calls.

From the httpd logs it appears the hacker was able to steal my /etc/amportal.conf and /etc/asterisk/sip_additional.conf files, so he has all of my passwords and my users’ passwords used to connect their IP phones to the PBX.

One of the things he was able to do is add the following to the end of my extensions.conf file:

[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
[docalloutnow]
exten => _X.,1,Wait(999999999)

which he used to generate a few calls to the UK and a large number of calls to a number in Bosnia. Looks like the total damage, before I was able to shut it down, was around US$135 added to my phone bill this month.

In addition to the UK and Bosnia calls, my logs show a large number of calls to 999999999. What is that, and what effect if any does it have (and why would a hacker do that)?

In every case, the calls to 999999999, and the calls to Bosnia, were from the “docalloutnow” context, which looks like it bypasses all of the security stuff I have in my extensions_custom.conf file that are intended to prohibit toll calls including international calls.

My main question is… other than the US$135 phone bill and the need to go through and change a few hundred passwords, most of which are in phones installed at the non-profit’s home office, what damage has likely been done here? Am I reasonable in my speculation that the hacker got in via the web server? The perl script was in the /tmp directory and owned by the asterisk user, and the web browser is owned by the asterisk user (that’s how AsteriskNOW did things). There is, so far, no evidence that the hacker was able to gain root access to the host; if he did, no doubt he would know enough to clean out all the log files of any evidence of his actions, and that didn’t happen (of course, I changed the root password anyway, along with my own password on the host).

After I discovered all of this I shut down the PBX while I figured all this out, but needed to bring it back up again this morning because the non-profit’s backup phone system wasn’t working (I have told them many times that they must, Must, absolutely MUST (!!!) keep a backup phone system working in case of an Internet interruption and their access to the PBX goes down, but they have not been listening). I have the web server shut down on the PBX machine, and have restricted SIP access (in the firewall) to only the non-profit’s main office a few towns away from here… that means that all of their other employees or members, that aren’t at the home office, are shut down from the PBX until further notice. They are not going to be especially happy.

Final questions… how much of this have you all seen before?.. and is there a writeup anywhere that covers all this stuff and what to do about it, and how to guard against it in the future? I am going to be moving the PBX to a different host with a fresh OS install, just in case, and would like to do it right this time.

Thanks…

Seems like you are using a GUI not sure if ELASTIX or FREEPBX. About your question yes this is very usual. You need to make harder iptables rules, about your Webconfig you need to get rid of default pwds. There are many videos and tutorial on the web showing how to vulnerate asterisk systems and most of the attacks resides in the GUI.

Search in google for “freepbx for fun and profit” and you will see.