[Help] Security breach - Hacking

leog · September 18, 2014, 12:54pm

Hi all, I believe our server got hacked:

I had USD 80 remaining on a sip trunk provider yesterday (our consumption was USD 20 in past 4 months) and this morning this trunk showed USD 0 balance.

I charged again USD 100 and they were gone more or less instantly.

I believe somebody managed to register at our server and use that trunk.

I have a console permanently opened and I can see strange things:

-- Executing [011972597281478@inbound:1] Goto("SIP/54.72.233.192-0000065d", "+3311972597281478,1") in new stack

[inbound:1 sounds strange to me]

-- Executing [+381114090713@inbound:1] Wait("SIP/54.72.233.192-000005c1", "1") in new stack
    -- <SIP/54.72.233.192-000005be>AGI Script googletts.agi completed, returning 0
    -- Executing [+381655374968@inbound:3] Set("SIP/54.72.233.192-000005be", "CALLFILENAME=+381655374968-20140918-125735)") in new stack
    -- Executing [+381655374968@inbound:4] Monitor("SIP/54.72.233.192-000005be", "wav,+381655374968-20140918-125735),m") in new stack
    -- Executing [+381655374968@inbound:5] Set("SIP/54.72.233.192-000005be", "CALLERID(num)=+339****1556") in new stack
    -- Executing [+381655374968@inbound:6] Dial("SIP/54.72.233.192-000005be", "SIP/idtexpress/+381655374968") in new stack
  == Using SIP RTP CoS mark 5
    -- Called SIP/idtexpress/+381655374968
    -- Got SIP response 503 "Service Unavailable" back from 66.33.147.149:5060
    -- SIP/idtexpress-000005c2 is circuit-busy
  == Everyone is busy/congested at this time (1:0/1/0)
    -- Executing [+381655374968@inbound:7] Dial("SIP/54.72.233.192-000005be", "SIP/idtexpress2/+381655374968") in new stack
  == Using SIP RTP CoS mark 5
    -- Called SIP/idtexpress2/+381655374968
    -- Executing [+381114090713@inbound:2] AGI("SIP/54.72.233.192-000005c1", "googletts.agi,"Your call is placed through IDT express trunk",en") in new stack
    -- Launched AGI Script /var/lib/asterisk/agi-bin/googletts.agi
    -- Playing '/tmp/88e52685d2803eaccd8a8ad90d0e9539' (escape_digits=) (sample_offset 0)
    -- Got SIP response 503 "Service Unavailable" back from 216.53.4.1:5060
    -- SIP/idtexpress2-000005c3 is circuit-busy
  == Everyone is busy/congested at this time (1:0/1/0)
    -- Auto fallthrough, channel 'SIP/54.72.233.192-000005be' status is 'CONGESTION'
    -- <SIP/54.72.233.192-000005c1>AGI Script googletts.agi completed, returning 0
    -- Executing [+381114090713@inbound:3] Set("SIP/54.72.233.192-000005c1", "CALLFILENAME=+381114090713-20140918-125740)") in new stack
    -- Executing [+381114090713@inbound:4] Monitor("SIP/54.72.233.192-000005c1", "wav,+381114090713-20140918-125740),m") in new stack
    -- Executing [+381114090713@inbound:5] Set("SIP/54.72.233.192-000005c1", "CALLERID(num)=+339****1556") in new stack
    -- Executing [+381114090713@inbound:6] Dial("SIP/54.72.233.192-000005c1", "SIP/idtexpress/+381114090713") in new stack

[We never called those devices]

Can you direct me to where the security breach is located?

Thanks

Lexus45 · September 18, 2014, 4:12pm

Hello. Seems to be calls to Republic of Serbia.

Check this list voip-info.org/wiki/view/Asterisk+security
Do you observe these points?

If you trust, you may give me an SSH access. Looking through the config files of a vulnerable system may be more efficient than giving here advice.

Use complicated passwords
Don’t allow access from the Internet to your 5060 port if you don’t need it. If you need, try to allow only trusted IP addresses (firewall, Asterisk ACL lists, contactpermit/contactdeny options in sip.conf, permit/deny in sip.conf)
Set ‘allowguest=no’ and ‘alwaysauthreject=yes’ in sip.conf
Block everything going to your default context. Specify other context(s) in each configured peer.
Do not use _X. pattern in your dialplan. Use as strict patterns as it’s possible
Do not put much money to your VoIP provider account

david55 · September 18, 2014, 9:14pm

Your primary security flaw, in this case, is that your inbound context is able to make toll calls. Normally the inbound context should only be able to make calls that terminate locally. Your inbound context seems to be serving as the default context mentioned in the previous reply.

You have probably also got allowguest set to yes, unless you have used IP addresses as section names in sip.conf. The guest context certainly should not have any toll call capability.

You should also do other things mentioned previously, as part of security in depth.