Help in analyzing failed registration entries in messages log

gibit · January 28, 2017, 4:23pm

Hi everybody
my old trixbox pbx has been hacked and i cant get to understand how the attacker got in.
What i need is a mix of voip and networking help!
No inbound connection to the pbx is allowed through the firewall. But the attacker managed to register as one of our extensions and make phone calls.
As fas as i can see, it all started with a sequence of registration attempts, with different non existing extensions, till a good extension has been met.
All these failed registration entries look the same:
NOTICE[12786] chan_sip.c: Registration from ‘“NNNN” sip:NNNN@[Y.Y.Y.Y:65476]:5060’ failed for ‘X.X.X.X’ - No matching peer found

Where:
NNNN is a random extension number, always different
Y.Y.Y.Y is my public wan interface IP followed by a high port (always the same, 65476)
X.X.X.X is the public ip where the attacker comes from

Can you explain the meaning of these connections? where are these connections actually coming from?
any help will be really appreciated!
GBT

david551 · January 28, 2017, 7:38pm

You need the security log for this.

gibit · January 28, 2017, 8:58pm

If you mean the /var/log/secure , it shows no useful information during that time

david551 · January 28, 2017, 10:47pm

No. The Asterisk security log, which you will need to enable in logger.conf.

Of course, trixbox may have been abandoned before it was introduced.

gibit · January 29, 2017, 7:31am

I cannot see any security option in the logger.conf file.
I tried to add a line “security_log => security” and the security_log file, but as i could imagine it’s not logging anything.
So, apart from upgrading to a supported pbx, is there anything i can do to investigate the intrusion?
The ip addresses i can see in the failed registration records are totally useless to understand where the phone was connecting from?

david551 · January 29, 2017, 12:15pm

Enable sip debugging, or configure the firewall to log SIP packets, or use tcpdump to capture them.

Note, if you are open to the internet, such attacks are to be expected within minutes of switching on.

gibit · January 30, 2017, 2:17pm

Thanks David. I realized now that my first post was edited removing all special characters and so tit was useless.
I’ll leave some spaces between them
NOTICE[12786] chan_sip.c: Registration from ‘“NNNN” < sip : NNNN @ [ Y.Y.Y.Y:65476 ] : 5060 >’ failed for ‘X.X.X.X’ - No matching peer found
Where:
NNNN is a random extension number, always different
Y.Y.Y.Y is my public wan interface IP followed by a high port (always the same, 65476)
X.X.X.X is the public ip where the attacker comes from

My initial question is, does this record in the logs tell me the connection came through the firewall? Does it mean x.x.x.x tries to connect on port 5060 arriving from ip y.y.y.y port 65476 ?

For the future’i’ll enable everything necessary to collect more information but know i need to understand something more on what has happened, with the little info i own

david551 · January 30, 2017, 5:30pm

I don’t think the message is in that form for current versions, but I think you will find that everything between the angle brackets was supplied by the attacker, and only the X.X.X.X is meaningful.

The easy way of dealing with angle brackets in pasted text is to use the unformatted text tool on the formatting tool bar. The one with the </> icon.

gibit · January 30, 2017, 8:22pm

Thanks you. In the meanwhile i had feedback from the firewall support, the security hole might be related to sip session helper vulnerabilities. I’m setting application level gateway now.