Hi, my system has been hacked. I do not know whether it is just the SIP passwords that have been hacked or total access to my system at this moment. the good news was i only had $5 in the termination account, which of course is gone.
i want to get the IP address of the SIP peer of the hacker.
From the call log of freePBX, i guess they log in any try again a few hours or within 24 hours.
if a SIP peer is logged in, then at the CLI if i type “sip show peers” i will get their IP address.
they will only log in for a few minutes, and its unlikely i will be at the console to see it.
Is there a way i can log the IP address’s of all the SIP peers?
Even if i log all IP address of all SIP peers thats ok as i only have a few phones going now so it will be obvious which is theirs, they are logging in with different SIP peer extensions.
any suggestions? ideally before they next log in to my system.
You should be able to see the IP addresses of the registered peers in full.log. When a peer registers with Asterisk, a time and IP address information is saved in the logs.
First change all your passwords
thats root maint wwwadmin admin(if it exists)
now change all you sip paswords.
now go to /var/log/httpd
and look through the access_log for any ips you don’t recognize
look through the /var/log/secure log for any failed logins or successful logins you don’t recognize
now look through the /var/log/asterisk/full or messages (depends on logging level)
and look for failed registrations.
now add all these iPs to you iptables config
type ‘last’ this will show you whos logged in
type ‘lastb’ to see failed logins
now type history and see if they have left any trails
First and formost change your passwords NOW
Hi Ian, hope you are still here. how to change all the passwords.
the server guy changed the root password and i use this to SSH to the system. these other passwords, are they the Centos system passwords or FreePBX passwords, I am trying to work out where to change them. the SIP passwords will be easy enough.
To access A2billing admin web interface:
Server IP: IP ADDRESS/A2Billing_UI
Admin Login: admin
===>>I guess i change this by logging in to the asterisk2 billing, and change any others here.
To access freepbx web interface:
URL: IP ADDRESS/admin
===>> passwd-maint from an ssh session?
correct?, i found this from internet - i did actually change it once before a few years ago.
and from within freePBX change the ones you can do at basic administrators.
you indicated there were others, but i have not seen them. there is a Mysql password but i have never used this myself (i do have it from the server guy)
it seems they are directly accessing the SIP trunk as well, not via my server and so i will get the SIP terminator to change that password as well! nice little infestation i have.
Hi Check out
I can guess what they have done and what you haven’t.