Pretty strange hack

Hi

I believe I have a pretty secure set of servers, and in over 7 years being open to the internet, I had not been hacked… until tonight.

The thing that really puzzles me is that the hacker registered without a single failure, with a 10 digits username and a 10 alphanum char password, upper&lowercase.
I am fairly confident that the hacker has not gotten hold of the account info (he is from palestine, 1000’s miles from where I work), unless he hacked into my customer email, and then decided to hack my server, etc… but I really doubt it

How could the guy got the right password from first shot… strange enough, I’ve already seen valid usernames with wrong passwords attempts, but user & pass right from the 1st attempt, I’m really surprised !

any ideas (other than he got hold of the credential is some way) would be nice - asterisk version is 11.21.0 if that serves.
J.

register an extension with 10 digits username and a 10 alphanum char password, upper&lowercase from the first attempt, it indicates he already got the credentials. This can’t be considered as an exploit or a backdoor on your system. If this was an exploit he would be able to register using other extesion also.

Rationnally, I agree that the only way he could do this is having the credentials. Yet, I really fail to understand how he got hold of them. The customer has registered its pbx probably 2 years ago, and very likely kept the password in an email, but that would mean he got hacked, the hacker found out this information, and was able to use it… looks very unlikely to me

Are you using a gui like FreePBX to administrate your box? The machine has a public ip or did you port forward the needed ports for asterisk to work?

Yes the machine has a public IP, and yes I use a2billing for customers to access their accounts (through a SSL page) - but apache logs dont show anything weird

So far, I have worked out pretty decent iptable rules that have blocked a lot of people out (probably 20 scanners per day per server), and fail2ban hardly ever blocks anyone. But I still dont get how he got these credentials

I am thinking of adding the geo lookup in iptables

J.

Which version of a2billing do you use?

A fairly old one, 1.4 - but only the customer module is exposed, the other are restricted by htaccess

Well a2billing had some issues in the past. Also can the customers change their password. From the web interface can they found out their sip id and password?

ok, I think I start to understand… I’ve blocked via IPSET most of the world, and yet I saw another attack this morning - same profile, etc… but coming from a legit IP… a private telephony installer - that installed the account the credentials were stolen from yesterday. I strongly suspect that the issue comes from there