Someone has hacked into our system

Home » Asterisk Users » Someone has hacked into our system
Asterisk Users 15 Comments

Someone has hacked into our system and is making calls overseas.
How can I:

1. Find out the where the calls are originating from?
2. Block all calls that are not authorized?

Our system is in the USA.
Only calls from inside our LAN are allowed.

Thank you,

Gary Kuznitz

15 thoughts on - Someone has hacked into our system

  • _____

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com
    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Gary Kuznitz
    Sent: Monday, November 22, 2010 10:23 AM

    Someone has hacked into our system and is making calls overseas.

    How can I:

    1. Find out the where the calls are originating from?

    2. Block all calls that are not authorized?

    Our system is in the USA.

    Only calls from inside our LAN are allowed.

    Thank you,

    Gary Kuznitz

    For #1, start with the CDR. You know that X is calling an overseas number.
    Determine who X is (or is supposed to be)

    For #2 (and the rest of #1) restrict your dialing access to a known set of
    IP’s. If you have 5 phones (softphones or actual handsets), block
    everything that doesn’t start with those 5 IP addresses.

    The first thing I would do is to change all of your passwords in sip.conf
    and do a sip reload. That will slow down or temporarily stop the hacker.

  • Blocking udp 5060 in the packet filter in unwanted directions should
    keep asterisk from setting up SIP connections.
    The real remedy is to figure out how the hacker got in and close the
    backdoor.
    I think a lot of us would be interested in what was the vulnerability.
    And if it turns out that it was a configuration mistake, don’t be shy:
    for every mistake you did in your config, there are at least a thousand
    people who did the same mistake. You help them (us) by disclosing the
    error, and if you have already changed the configuration you should not
    have the error at that time.

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com

  • Thank you very much for help in finding the log.

    I have the log now. I’d like to know what to look for in trying to figure out how the
    calls are getting originated. I’d be happy to shere all the information. I just don’t
    want to post information on this public list that might show other people how to get in
    to our box.

    Thanks you,

    Gary Kuznitz

    On 22 Nov 2010 at 13:11, Danny (Danny Nicholas ) commented
    about RE: [asterisk-users] Someone has hacked into our :

    Sent: Monday, November 22, 2010 12:20 PM

    Thank you for the quick response.

    Comments below…

    I am not familiar with navigating Asterisk. Would you please help me understand how
    to see the CDR?

    Thank you,

    Gary Kuznitz

    By default, Asterisk keeps the CDR as a “flat-file” in /var/log/asterisk/cdr-csv/Master.csv
    which you can open in Excel for easy viewing. If you have a custom cdr (see
    /etc/asterisk/cdr.conf or /etc/asterisk/cdr_custom.conf for more information), your CDR
    might be stored in a MYSQL table or some other place.I would start under the assumption
    that you have the flat file available.Once you have it open, use this link as a guide
    http://www.voip-info.org/wiki/view/Asterisk+cdr+csv

    Fields
    * accountcode: What account number to use: Asterisk billing account, (string, 20
    characters)
    * src: Caller*ID number (string, 80 characters)
    * dst: Destination extension (string, 80 characters)
    * dcontext: Destination context (string, 80 characters)
    * clid: Caller*ID with text (80 characters)
    * channel: Channel used (80 characters)
    * dstchannel: Destination channel if appropriate (80 characters)
    * lastapp: Last application if appropriate (80 characters)
    * lastdata: Last application data (arguments) (80 characters)
    * start: Start of call (date/time)
    * answer: Answer of call (date/time)
    * end: End of call (date/time)
    * duration: Total time in system, in seconds (integer)
    * billsec: Total time call is up, in seconds (integer)
    * disposition: What happened to the call: ANSWERED, NO ANSWER, BUSY,
    FAILED
    * amaflags: What flags to use: see amaflags::DOCUMENTATION, BILL, IGNORE
    etc, specified on a per channel basis like accountcode.
    You will want to see if there are any “peculiar” src fields on your international calls (dst).

    default iconWPM$68B7.PM$

  • allowguest=yes in sip.conf, with a context= in the [general] section that
    is permitted to make outbound calls? Just a guess, but there have been
    more than a few such discussions on the list about that configuration, plus
    a README-SERIOUSLY.bestpractices.txt in the root directory of every Asterisk
    source tree. You DID read that file, right?

  • Use IPTables to lock down your machine to only accept incoming connections from your local network and from the particular IPs that you are expecting connections from (such as your SIP trunk, maybe).

    That is of course assuming that these calls are made by SIP.

    Don’t forget to also change all the passwords.

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Gary Kuznitz
    Sent: Monday, November 22, 2010 8:23 AM

    Someone has hacked into our system and is making calls overseas.
    How can I:

    1. Find out the where the calls are originating from?
    2. Block all calls that are not authorized?

    Our system is in the USA.
    Only calls from inside our LAN are allowed.

    Thank you,

    Gary Kuznitz

  • good point – someone can easily just dial in a pots line locally and
    dial out another one making a long distance call, assuming the dial plan
    allows this.

    it doesn’t have to be sip involved in any part of the problem.

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com

  • Thank you for the reply…

    Comments below…
    On 22 Nov 2010 at 17:23, Tilghman (Tilghman Lesher

    href=”mailto:users@lists.digium.com”>users@lists.digium.com>) commented about Re: [asterisk-users] Someone has hacked
    into our :

    I’m trying to understand exactly what this means.

    I found a sip.conf in /etc/asterisk
    I have a [general] section.
    I don’t have allowguest=yes. Is that good or am I supposed to have it?
    If I’m supposed to have it can it go any place in the [general] section?
    I have in the [general] section a line with:
    context = default
    Is this where I would remove default and enter the IP addresses that are allowed to
    make calls?
    What would a line with IP address look like? Could you give me an example?
    If that isn’t where the IP address that are allowed supposed to be where would I put
    them?

    Thank you,

    Gary Kuznitz

  • Gary Kuznitz wrote:
    href=”mailto:users@lists.digium.com”>users@lists.digium.com>) commented about Re: [asterisk-users] Someone has hacked
    I believe what you SHOULD have is;
    allowguest=no
    Not sure if that is the default behavior or not
    Your default context in extensions.conf should basiclly lead nowhere.
    I have mine set up to play an insane laugh then hangup
    Probably safe to say NEVER use context default for any outbound calling

    You should also have, in general:

    alwaysauthreject=yes
    This seems pretty effective in stopping some hacking
    These are simple fixes.
    I will let others comment on other more detailed firewalling

    John Novack

  • Look for “allowguest” default is “yes”
    I change it to allowguest=no
    In addition you might want to restrict some countries in your dial-plan, here is my list:

    [blocked-numbers]
    ;block bahamas, etc
    exten => _91900.,1,congestion ; N11
    exten => _91XXX976.,1,congestion ; N11
    exten => _91XXX555.,1,congestion ; N11
    exten => _91X11.,1,congestion ; N11
    exten => _91867.,1,congestion ; Yukon (sorry mike)

    ;exten => _1NPA Country
    exten => _91232.,1,congestion; Sierra Leone
    exten => _91242.,1,congestion; BAHAMAS
    exten => _91246.,1,congestion; BARBADOS
    exten => _91264.,1,congestion; ANGUILLA
    exten => _91268.,1,congestion; ANTIGUA/BARBUDA
    exten => _91284.,1,congestion; BRITISH VIRGIN ISLANDS
    exten => _91345.,1,congestion; CAYMAN ISLANDS
    exten => _91441.,1,congestion; BERMUDA
    exten => _91473.,1,congestion; GRENADA
    exten => _91649.,1,congestion; TURKS & CAICOS ISLANDS
    exten => _91664.,1,congestion; MONTSERRAT
    exten => _91758.,1,congestion; ST. LUCIA
    exten => _91767.,1,congestion; DOMINICA
    exten => _91784.,1,congestion; ST. VINCENT & GRENADINES
    exten => _91809.,1,congestion; DOMINICAN REPUBLIC
    exten => _91829.,1,congestion; DOMINICAN REPUBLIC
    exten => _91868.,1,congestion; TRINIDAD AND TOBAGO
    exten => _91869.,1,congestion; ST. KITTS AND NEVIS
    exten => _91876.,1,congestion; JAMAICA

  • On 23 Nov 2010 at 16:54, Joseph (Joseph ) commented about
    Re: [asterisk-users] Someone has hacked into our :

    This would be great. Can I put this anyplace in extensions.conf?
    Or does it need to go after [DLPN_DialPlanl] ?

    Thanks,

    Gary Kuznitz

  • Thank you for the reply.

    On 23 Nov 2010 at 18:51, John (John Novack )
    commented about Re: [asterisk-users] Someone has hacked into our :

    href=”mailto:users@lists.digium.com”>users@lists.digium.com>) commented about Re: [asterisk-users] Someone has hacked

    I don’t have any context in extensions.conf
    I do have context = default in sip.conf
    Should I remove that line?
    Could you give me an example of what you have in your extensions.conf?

    Thank you,

    Gary Kuznitz

  • This is in sip.conf

    [general]
    context=default ; Default context for incoming calls
    allowguest=no ; Allow or reject guest calls (default is yes)

  • I found it very effective to make sure the handled sip domains don’t
    contain the ipadress(es) of your internet connection(s), by only
    explicitly listing internal ipadresses and hostnames. e.g.:
    domain=10.2.3.4
    domain=sip.example.com

    The standard scanners will get a “Not a local domain” error, since they
    only try the external ipadress to connect (for now).

  • Hi Gary,

    I went through this process a few times over the past few years.

    Theres a few short guides for securing Asterisk, but much of it depends
    on your design. If it’s a traditional POTs-type PBX then locking down
    IPs using firewalls is a great thing, however if you make use of
    inbound-SIP calls from end-user PC clients on the Internet then that’s
    not always possible.

    So heres my recommendations:

    1) Change the default context name to something like “publicinbound”.

    2) Create a context called publicinbound that does basically nothing.

    3) Setup a different context for an peer or friend IAX or SIP, or
    whatever. That way you can see which connection the hackers coming in
    from.

    4) If you don’t want to firewall off the whole internet, then at least
    make use of fail2ban – it’s a free scripted addon that watches for
    hacking attempts and firewalls them off.

    5) Really really long passwords and usernames – this ones pretty key.
    My first task was in going through and understanding where all the
    passwords were and changing them. I now make mine completely random and
    a min of 30 chars.

    6) IP restrictions. If a peer or user does have a fixed IP, then define
    it in the appropriate config file.

    7) The alwaysauthreject is good.. helps fumble the hackers.

    Thanks,

    Adrian