Looks my box is hacked .......... HELP ! URGENT

I have been noticing some suspicious traffic from my box. I got really upset when I got the invoice from my provider. I see calls worth 1500 USD in 4-5 days.

My boxes are on a LAN and closed to the external world. Only the required ports are opened.

My boxes have been in production for the past 2 years and I have never had such an issue. I have scanned the logs but I am unable to find any helpful information, or probably I may not be looking the right information.

My provider says that the calls seem to be coming from an overlaying extension 3245 from your box. I have deleted that extension for now

I need some immediate help. What steps to take and how to trace this out ? There should be an IP address or something with which my extension was registered.

How to stop unregistered extensions from making calls ?

Is there a setting for it?

OR is there a way that I can allow only my network from which calls can be originated and the extension should be registered ?

Hi

[quote]I have scanned the logs but I am unable to find any helpful information, or probably I may not be looking the right information.[/quote] It will be there.

Basicly it sounds as if you have a very poorly secured system,

you need to make sure of at least the following

extensions have a complex password “iujf34thfs” for example not a numberic number

make sure that the sip.con is set correct ,
with
alwaysauthreject=yes

in the general section.

also if all sets are on teh same lan use ACL’s for them

You could also tighten up your iptables to only allow what you want and to block others

and also script checks of the logs

Following things need to do :

  1. Disable SSH login
  2. Check the asterisk service running on root or any other user ? If running on Root change that first .
  3. Run rKhunter on that box
    4.Check the working Extension and there passwords ? any thing if you seend delete and reset the password ?
  4. Agent password should minimum 15 leters mixed with all combination ? Example [color=#FF0000]@WS3ed4578()*vGHjsYR%&[/color]
    6 .Each extension has separate password ?
  5. Finally implement fail2ban and hava look ?

more things i will update …

Privilege escalation attacks are not the normal problem with VoIP systems and running Asterisk non-root can have problems as it is not well supported in that mode, and some optimisation features only work as root. From a privilege escalation point of view, I would probably make sure that it is a dedicated machine, which can easily be totally restored.

The main security risk for VoIP systems is people making calls, through the system without taking advantage of any root privileges.

Incidentally, no-one mentioned setting allowguest to no, which you should also do. This is set to yes in the sample configurations to put minimal obstacles in the way of someone trying out the system, but all security related options should be reviewed for a production configuration.

I believe the latest installation documentation has best practice information on things like choosing secure phone passwords an not using the extension number as the login name.

Thank you guys.

What is the overlapping extension ? My provider says that there was an overlapping extension from which the calls were originated.

I have just googled that and yes, there is a setting

allowoverlap =YES/NO

Shall I set that to no as well ? If I do, is it going to conflict with my outbound dialing ?

Also, if you guys have more tips, do let me know. I can implement failover, but again that’ll take time. I need a few quick things to do to secure my system from being misused again.

OK guys, before I forget, how to stop originating calls from unregistered extensions ? allowguest=no should take care of that, right ?

Hi

You need to look at your dialplan

allowguest is the abilty to accept or reject guest calls.

no part of your dialplan should allow an incoming call to make an outgoing call.

unless your passwords were realy simple you should see attempts in the logs to crack the password.

Ian

I think “overlap” is loose terminology. I think they just mean that someone is impersonating that extension. If your authentication with the service provider is weak, they may be impersonating direct with them!

OK, How do I check the IP from which the calls was made
?

Periphery firewall, OS firewall (e.g. iptables on Linux), or sip.conf permit directives. Preferably all three.

OK David,

I have just set allowguest=no and since then, I am not getting any incoming calls on my PRIs.

How do I set this properly? I am sure this has to be an important setting.

Also, one more thing, I have asked this in my earlier posts also, but no one has responded to it.

I want my extensions to be registered only from a particular subnet/network, regardless of the fact whether it is public or not. Is there any setting as such? Asterisk should register extensions only from a private network

I have all of these bookmarked on my system, I have implemented them all!

You should also look at permit and deny voip-info.org/wiki/view/Aste … -deny-mask

This will help limit the amount of attempts that a person can try to guess a password for an exten pbxinaflash.com/forum/showthread.php?t=5018

This is for fail2ban(awesome!) voip-info.org/wiki/view/Fail … d+Asterisk

More interesting IPTABLES stuff linuxquestions.org/questions … es-553467/

More IPTABLES blogs.techrepublic.com.com/10things/?p=539

Straight from Digium blogs.digium.com/2009/03/28/sip-security/

Also I am using Asterisk with no GUI so my extens are like FrontOffice, and StoreRoom, with different passwords, then I just have something like exten = 100,1,Dial(SIP/FrontOffice,20) in my extensions.conf so phones register with different names and not numerical extensions.

That was indeed great HELP !