My PC with Asterisk 1.8.11.1+FreePBX 2.10.0 has been hacked

My PC with Asterisk 1.8.11.1+FreePBX 2.10.0 has been hacked, but I do not understand how?!

I am just a beginner with Asterisk (running it just a couple of months).
The attacker (or attackers?) (Egypt origin or proxy/vpn in Egypt) did not get the password from the extension, how ever he managed to get calls through around 500 times
and emptied my VOIP account for 1 hour during night time (Thanks god I did not have auto-recharge on that :wink:)!

Here is the part of a log file with incorrect registrations attempts -

[2012-05-07 04:20:15] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:21:36] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:24:16] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:29:37] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.85:11482’ - Wrong password
[2012-05-07 04:40:17] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.6.149:10000’ - Wrong password
[2012-05-07 04:52:17] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.164:10508’ - Wrong password
[2012-05-07 04:52:37] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.164:10508’ - Wrong password
[2012-05-07 04:56:48] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.7.164:10709’ - Wrong password
[2012-05-07 04:58:54] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10000’ - Wrong password
[2012-05-07 04:59:14] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10000’ - Wrong password
[2012-05-07 05:12:08] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10003’ - Wrong password
[2012-05-07 05:12:29] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.4.57:10003’ - Wrong password
[2012-05-07 06:22:29] NOTICE[28584] chan_sip.c: Registration from ‘sip:100@87.xxx.xxx.xxx’ failed for ‘41.237.5.23:10033’ - Wrong password

Here is the part of a log file of successful calls after unsuccessful extension registration!!! (Unfortunately debug is off)

[2012-05-07 04:29:11] VERBOSE[28584] netsock2.c: == Using SIP RTP TOS bits 184
[2012-05-07 04:29:11] VERBOSE[28584] netsock2.c: == Using SIP RTP CoS mark 5
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [0088213090436@from-internal:1] Macro(“SIP/100-0000031c”, “user-callerid,LIMIT,”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-user-callerid:1] Set(“SIP/100-0000031c”, “AMPUSER=100”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-user-callerid:2] GotoIf(“SIP/100-0000031c”, “0?report”) in new stack


[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:12] GosubIf(“SIP/100-0000031c”, “0?sub-flp-3,s,1()”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:13] Set(“SIP/100-0000031c”, “OUTNUM=0088213090436”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:14] Set(“SIP/100-0000031c”, “custom=SIP/CheapVOIPtrunk”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:15] ExecIf(“SIP/100-0000031c”, “0?Set(DIAL_TRUNK_OPTIONS=M(setmusic^default))”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:16] ExecIf(“SIP/100-0000031c”, “0?Set(DIAL_TRUNK_OPTIONS=M(confirm))”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:17] Macro(“SIP/100-0000031c”, “dialout-trunk-predial-hook,”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk-predial-hook:1] MacroExit(“SIP/100-0000031c”, “”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:18] GotoIf(“SIP/100-0000031c”, “0?bypass,1”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:19] ExecIf(“SIP/100-0000031c”, “1?Set(CONNECTEDLINE(num,i)=0088213090436)”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:20] ExecIf(“SIP/100-0000031c”, “1?Set(CONNECTEDLINE(name,i)=CID:100)”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:21] GotoIf(“SIP/100-0000031c”, “0?customtrunk”) in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:22] Set(“SIP/100-0000031c”, “D_LOPT=”"") in new stack
[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:23] Set(“SIP/100-0000031c”, “ARG1=300”) in new stack


[2012-05-07 04:29:11] VERBOSE[3502] pbx.c: – Executing [s@macro-dialout-trunk:31] Dial(“SIP/100-0000031c”, “SIP/CheapVOIPtrunk/0088213090436,300,”"") in new stack
[2012-05-07 04:29:11] VERBOSE[3502] netsock2.c: == Using SIP RTP TOS bits 184
[2012-05-07 04:29:11] VERBOSE[3502] netsock2.c: == Using SIP RTP CoS mark 5
[2012-05-07 04:29:12] VERBOSE[3502] app_dial.c: – Called SIP/CheapVOIPtrunk/0088213090436

I have closed port 5060 now for all foreign IPs.
Egyptians continue to try, but without success now.

Any idea guys what it was and how it was done?!

How happens? Easy, you open your ports to the world.
How it works? When the people find an open sip port they flood your pbx with brute force attack registration(bot registration) until they register to your machine.

How to keep secured? Dont open your port if you dont need it, Block failed registration attempts(use Iptables + fail2ban or blockhost).

Google is your friend.

[quote=“navaismo”]How happens? Easy, you open your ports to the world.
How it works? When the people find an open sip port they flood your pbx with brute force attack registration(bot registration) until they register to your machine.

How to keep secured? Dont open your port if you dont need it, Block failed registration attempts(use Iptables + fail2ban or blockhost).

Google is your friend.[/quote]

So, does it mean, that asterisk lets calls in without registration? Fail2ban was not much of a help becouse it has required 5 unsuccessful attempts (default setting) to register to block the host and in my case, attacker got connected after the first attempt ?!!

Depends how you configure it. If you have allowguest set to yes, it will do so, although that didn’t happen here. If you have a sip.conf entry with a static host address, they won’t need to register, but will still need a password. The same, I think applies to friend or user ones, which match the from: address. If, in addition, you have insecure=invite (including port, invite and the, obsolete, very), I think it will allow a user match without a password.

How you avoid these combinations with FreePBX should be asked on a FreePBX forum, if not obvious.

Are you using type=friend with your extensions ? If yes then fail2ban is ineffective. Not sure why FreePBX folks are pushing this turd down everybody’s throat. Note there were 3 FreePBX exploits earlier this year which would give the attacker full access to the GUI without having to authenticate.

I think it is because the documentation is confusing and the detailed meanings have changed, and may differ between technologies. Everyone who doesn’t cut and paste, seems to use an empirical approach and stops when they find something that lets the traffic through, without thinking about collateral damage.

Although I don’t know of exploits, the same thing happens with the parameter whose name warns you it is dangerous. Everyone says use “invite,port” (was “very”), when most people only need “invite”.