My PBX was hacked... but how?

Asterisk Asterisk Support
1

First of all… I have a TP Link W8970 Router at home.

I have Asterisk 1.8.31.1-0060 running on Synology DS114. Along with Asterisk I have an OpenVPN server running.

I set it up with standard configuration and added the rules to allow OpenVPN connections. However, even after disabling these and allowing no inbound connections at all, I still get weird requsts on the Asterisk PBX. I will go through the channels open thoroughly in a moment. How is this possible? Is the SIP protocol recognized by the router and allow access to the server automatically? This is actually quite scary, if this is the case.

I will give you the “sip show channels” output here:

194.247.61.43 (main SIP trunk provider)
91.217.201.91 (failover SIP trunk provider)

IP2 Location gives me
173.208.168.34 United States Missouri Kansas City Zhou Pizhong
82.205.2.8 Palestine, State Of Gaza Rafah Hadara Technologies Private Shareholding Company

Obviously I have no idea who these two IP-adresses belong to.

While being hacked I checked the sip channels in use quite some times with very little time in between:

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22 
173.208.168.34   9001             980dd1339798428  0x0 (nothing)    No       Rx: INVITE

And after a few moments

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
173.208.168.34   9001             0d477194765fc09  0x0 (nothing)    No       Rx: INVITE                    
91.217.201.91    (user uno)        36c229462a0286b  0x0 (nothing)    No       Init: NOTIFY                  
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
194.247.61.32    (user 1)         24fd5a445c0c0ec  0x0 (nothing)    No       Init: NOTIFY                  
194.247.61.32    (user 2)         61e8682f571ce69  0x0 (nothing)    No       Init: NOTIFY                  
194.247.61.32    (user 3)         7272dad25fb02dc  0x0 (nothing)    No       Init: NOTIFY

a few minutes later

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
192.168.1.107    (None)           5b61e6d57879d8d  0x0 (nothing)    No       Rx: REGISTER

moments later

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
173.208.168.34   9001             f7b3605571f7530  0x0 (nothing)    No       Rx: INVITE

moments later

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22

some minutes later after a few calls made by me

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
192.168.1.107    (None)           5b61e6d57879d8d  0x0 (nothing)    No       Rx: REGISTER

moments later

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
192.168.1.107    (None)           5b61e6d57879d8d  0x0 (nothing)    No       Rx: REGISTER                  
173.208.168.34   9001             ecaf05a65136a03  0x0 (nothing)    No       Rx: INVITE

some minutes laters

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
173.208.168.34   9001             736ed95dc32690e  0x0 (nothing)    No       Rx: INVITE

moments later

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
173.208.168.34   999              a3d756e632f84da  0x0 (nothing)    No       Rx: INVITE                    
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22

moments later

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
192.168.1.103    (None)           u74aiocm.vCg9MT  0x0 (nothing)    No       Rx: REGISTER                  
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
173.208.168.34   999              e8495b296a4e8a5  0x0 (nothing)    No       Rx: INVITE                    
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22

moments later

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
173.208.168.34   999              86821423506703e  0x0 (nothing)    No       Rx: INVITE

Reset router, setting up firewall rules, did not help

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
91.217.201.91    005341527612     743ec99c15d02ef  0x8 (alaw)       No       Tx: ACK                    trunk_1   
82.205.2.8       22               5a47596a0d01985  0x2 (gsm)        No       Rx: ACK                    22        
173.208.168.34   999              d9313e71157d6d1  0x0 (nothing)    No       Rx: INVITE

Reboot Asterisk PBX

Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      
173.208.168.34   1014             91dd6fa0d438d9d  0x0 (nothing)    No       Rx: INVITE                    
1 active SIP dialog

I used the graphical user interface to configure the whole thing… How the **** did others get access to my Asterisk server being behing a NAT-enabled SOHO router with local ip’s?

The local users on my system was called 20, 21, 22. At some point during the print outs I decided to delete the user “22” since this was the one being hacked.

Please help on this issue - I’m afraid to start the server again (it is not running at the moment since I already lost more than 100$ on phone calls to the State of Palestine)

2

AsteriskGUI is past end of life. If Synology supplied it, you should ask them for support and not accept a redirection here.

There is no evidence that the attacks have succeeded, although you are at the last line of defence (secure passwords). On the other hand, as you haven’t provide appropriate logging, there is also no confirmation that they haven succeeded.

There is a lot of advice available on securing raw Asterisk, but probably very little on securing AsteriskGUI.

As well as making sure that your passwords really are secure, and preferably making the user names non-guessable (the latter almost certainly impossible with AsteriskGUI, as it is impossible with FreePBX), you should use iptables to limit access to just those public networks that need access (possibly just your ITSP’s internal network, or use something like fail2ban (about which much can be found through Google) to rate limit attacks by dynamically manipulating the firewall.

3

Which log files are appropriate to include? And does the normal log level include appropriate information?

Furthermore, how can the attacker “hijack” the SIP connection when the router is not setup to perform any forwarding on the ports?

I did use passwords! However, these seem to be fast to hack?

4

There is a security log that you can enable, but you generally want normal logging at verbose level 3 or more to see if the attacks are succeeding.

Ask Synology about their firewall configuration, but they presumably set up Asterisk for use with an unspecified SIP provider, so need to leave a path open for SIP from any source, as they don’t know which IP addresses will be trustworthy. In that case, you will get attacked.

The information you have provided so far only shows that an attack was attempted. It doesn’t show whether or not it was blocked because of the password. It will show INVITE received, even if that INVITE had no valid authentication.

As well as passwords, you can set address restrictions on the devices corresponding to local extensions, but you will still get similar logging to that which you get for a bad password.