Two different Asterisk servers hacked

Dear all,

I have 2 Asterisk Servers, one using 1.8.20.1 and the other one using 11.2.1
(using ScopServ)

The only exposed port on the Internet was SIP 5060 TCP/UDP for bot servers.

We received a call from our SIP provider telling us that there was a huge amount of call to “strange” countries. actually we have loose about 2000 USD

When i connect on the systems i can see that the extension are linked to the correct IPs.
But if i do a sip show channels i can see other IP address opening channels to “strange phone numbers”

Below is a sample:

scopserv*CLI> sip show peers
Name/username             Host                                    Dyn Forcerport ACL Port     Status      Description
6701/6701                 192.168.100.106                          D                 5062     OK (21 ms)
6702/6702                 192.168.100.107                          D                 5062     OK (34 ms)
6703/6703                 192.168.100.105                          D                 5062     OK (25 ms)
6704/6704                 192.168.100.129                          D                 5060     OK (18 ms)
6705/6705                 192.168.100.130                          D                 5060     OK (31 ms)
6707/6707                 (Unspecified)                            D                 0        UNKNOWN
6711/6711                 192.168.100.122                          D                 5062     OK (26 ms)
6712/6712                 192.168.100.100                          D                 5062     OK (41 ms)
6713/6713                 190.99.105.47                            D   N             5060     OK (369 ms)
6714/6714                 192.168.100.110                          D                 5062     OK (19 ms)
6717/6717                 192.168.100.120                          D                 5062     OK (49 ms)
6718/6718                 192.168.100.121                          D                 5062     OK (33 ms)
6720/6720                 192.168.100.109                          D                 5062     OK (21 ms)
patton                    192.168.100.253                                            5060     OK (20 ms)
14 sip peers [Monitored: 13 online, 1 offline Unmonitored: 0 online, 0 offline]
scopserv*CLI> sip show cha
channels      channelstats  channel
scopserv*CLI> sip show channel
Usage: sip show channel <call-id>
       Provides detailed status on a given SIP dialog (identified by SIP call-id).
scopserv*CLI> sip show channels
Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer
192.168.100.253  006703307212     15f3211728fe4d4  (ulaw)           No       Tx: ACK                    patton
67.222.131.147   6720             6920bc57618847d  (ulaw)           No       Rx: ACK                    6720
67.222.131.147   6720             2544fc205ecc41d  (ulaw)           No       Rx: ACK                    6720
67.222.131.147   6720             cd0ff3f13d80411  (ulaw)           No       Rx: ACK                    6720
67.222.131.147   6720             d70a293970b94f0  (ulaw)           No       Rx: ACK                    6720
192.168.100.253  006703307212     39dcdeb269b7698  (ulaw)           No       Tx: ACK                    patton
192.168.100.253  006703307212     7f6702fb7926120  (ulaw)           No       Tx: ACK                    patton
192.168.100.253  006703307212     0b38b5dc61c9337  (ulaw)           No       Tx: ACK                    patton
192.168.100.129  (None)           2783172508@192_  (nothing)        No       Rx: REGISTER               <guest>
9 active SIP dialogs
scopserv*CLI>

When we saw that we changed the extension password.
5 minutes later it has started again… just as if the hacker was able to use any extension without password.

So we closed the port 5060 from the internet.

I have seen that 67.222.131.147 was linked with SIPSORCERY.

Furthermore in my log files i have tons of:

[2013-03-05 04:41:52] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5071) to extension '00441904890672' rejected because extension not found in context 'all-inc
oming-guest'.
[2013-03-05 04:41:57] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5076) to extension '00441904890672' rejected because extension not found in context 'all-inc
oming-guest'.
[2013-03-05 04:42:01] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5076) to extension '00441904890672' rejected because extension not found in context 'all-inc
oming-guest'.
[2013-03-05 04:42:06] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5076) to extension '00441904890672' rejected because extension not found in context 'all-inc
oming-guest'.
[2013-03-05 04:42:10] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5076) to extension '00441904890672' rejected because extension not found in context 'all-inc
oming-guest'.
[2013-03-05 04:42:15] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5076) to extension '00441904890672' rejected because extension not found in context 'all-inc
oming-guest'.
[2013-03-05 04:42:19] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5070) to extension '00441904890672' rejected because extension not found in context 'all-inc
oming-guest'.
[2013-03-05 04:42:23] NOTICE[9372] chan_sip.c: Call from '' (95.138.169.103:5070) to extension '00441904890672' rejected because extension not found in context 'all-inc


and


[2013-03-05 15:42:42] NOTICE[9372] chan_sip.c: Registration from '441904891989<sip:2480@XXX.XXX.2.40>' failed for '166.78.49.203:7846' - Wrong password
[2013-03-05 15:43:22] NOTICE[9372] chan_sip.c: Registration from '441904891989<sip:2480@XXX.XXX.2.40>' failed for '166.78.49.203:7846' - Wrong password
[2013-03-05 15:43:41] NOTICE[9372] chan_sip.c: SIP Transfer attempted with no appropriate bridged calls to transfer
[2013-03-05 15:43:41] NOTICE[9372] chan_sip.c: Unable to create/find SIP channel for this INVITE
[2013-03-05 15:44:42] NOTICE[9372] chan_sip.c: Registration from '441904891989<sip:2480@XXX.XXX.2.40>' failed for '166.78.49.203:7846' - Wrong password
[2013-03-05 15:44:49] NOTICE[9372] chan_sip.c: Call from peer '2480' rejected due to usage limit of 8
[2013-03-05 15:44:49] NOTICE[9372] chan_sip.c: Failed to place call for device 2480, too many calls
[2013-03-05 15:44:49] NOTICE[9372] chan_sip.c: Call from peer '2480' rejected due to usage limit of 8
[2013-03-05 15:44:49] NOTICE[9372] chan_sip.c: Failed to place call for device 2480, too many calls
[2013-03-05 15:45:13] NOTICE[9372] chan_sip.c: Call from peer '2480' rejected due to usage limit of 8

oming-guest'.

Any idea of what happened ??? this is very strange… any new exploit or thing like that ?

For info my extension password are >8 caracters/upper/lower case/special chars
And i have fail2ban setup.

Thank you in advance for your help.

Kind regards,
David

allowguest = yes and a default context that can make toll calls.

Although not the problem here, you have also got device names that are the same as extension numbers, which is something that the security guidance that comes with Asterisk tells you not to do.

How did you setup fail2ban when you have the same IP trying to hack your account over and over again?

BTW if your server must be exposed via Internet, try to limit brute force attacks by firewall also.

iptables for example:

#Prevent REGISTER brute force attacks (10 register attempts/min)
	$ipt -I users -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --set --name sip-register --rsource 
	$ipt -I users -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --update --seconds 60 --hitcount 10 \
		--rttl --name sip-register --rsource -j DROP
	#Prevent INVITE brute force attacks (avg 5 call attempts/sec)
	$ipt -I users -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m recent --set --name sip-invite --rsource
	$ipt -I users -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m recent --update --seconds 4 --hitcount 20 \
		--rttl --name sip-invite --rsource -j DROP

You also need to make sure that the machines themselves haven’t been compromised. A client of mine had their machine rooted (they were running a wordpress instance on the server as well) and the rooters grabbed the credentials for some of the SIP users and used them to register devices and place many hundreds of dollars of international phone calls before the ITSP caught on and locked the account out.

Read this article
help.trixbox.com/Fonality_Employ … y_Problems

Read svn.digium.com/svn/asterisk/tags … ctices.txt

This is more detailed (less stating the obvious) and more up to date than the Fonality article.

If you obtained you Asterisk from a source that didn’t provide this file, please complain to that source, as it is in a prominent position in the source tree because every user should read it.