Hack Attempt Sequential Config File Read Looking For Valid Files.

Home » Asterisk Users » Hack Attempt Sequential Config File Read Looking For Valid Files.
Asterisk Users 6 Comments

I “justed” happened to look at /var/log/messages…

I saw:
Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
0004f2034f6e.cfg

so basically an sequential read of polycom MAC address config files. Some is trying to read to determine if I have any polycom files just sequential read after read. And if so – it would get any extension and password at that time. Luckily I have none.

However – how does one block attempts like this ?

Thanks!

Jerry

6 thoughts on - Hack Attempt Sequential Config File Read Looking For Valid Files.

  • DQpGcm9tOiBhc3Rlcmlzay11c2Vycy1ib3VuY2VzQGxpc3RzLmRpZ2l1bS5jb20gW21haWx0bzph c3Rlcmlzay11c2Vycy1ib3VuY2VzQGxpc3RzLmRpZ2l1bS5jb21dIE9uIEJlaGFsZiBPZiBKZXJy eSBHZWlzDQpTZW50OiBGcmlkYXksIEFwcmlsIDIxLCAyMDE3IDEyOjI4IFBNDQpUbzogQXN0ZXJp c2sgVXNlcnMgTWFpbGluZyBMaXN0IC0gTm9uLUNvbW1lcmNpYWwgRGlzY3Vzc2lvbiA8YXN0ZXJp c2stdXNlcnNAbGlzdHMuZGlnaXVtLmNvbT4NClN1YmplY3Q6IFthc3Rlcmlzay11c2Vyc10gSGFj ayBhdHRlbXB0IHNlcXVlbnRpYWwgY29uZmlnIGZpbGUgcmVhZCBsb29raW5nIGZvciB2YWxpZCBm aWxlcy4NCg0KSSAianVzdGVkIiBoYXBwZW5lZCB0byBsb29rIGF0IC92YXIvbG9nL21lc3NhZ2Vz Li4uDQoNCkkgc2F3Og0KQXByIDIxIDEyOjE4OjQwIGluLnRmdHBkWzIyNzE5XTogUlJRIGZyb20g NjkuNjQuNTcuMTggZmlsZW5hbWUgMDAwNGYyMDM0ZjZiLmNmZw0KQXByIDIxIDEyOjE4OjQwIGlu LnRmdHBkWzIyNzE5XTogQ2xpZW50IDY5LjY0LjU3LjE4IEZpbGUgbm90IGZvdW5kIDAwMDRmMjAz NGY2Yi5jZmcNCkFwciAyMSAxMjoxODo0MCBpbi50ZnRwZFsyMjcyMF06IFJSUSBmcm9tIDY5LjY0
    LjU3LjE4IGZpbGVuYW1lIDAwMDRmMjAzNGY2Yy5jZmcNCkFwciAyMSAxMjoxODo0MCBpbi50ZnRw ZFsyMjcyMF06IENsaWVudCA2OS42NC41Ny4xOCBGaWxlIG5vdCBmb3VuZCAwMDA0ZjIwMzRmNmMu Y2ZnDQpBcHIgMjEgMTI6MTg6NDAgaW4udGZ0cGRbMjI3MjFdOiBSUlEgZnJvbSA2OS42NC41Ny4x OCBmaWxlbmFtZSAwMDA0ZjIwMzRmNmQuY2ZnDQpBcHIgMjEgMTI6MTg6NDAgaW4udGZ0cGRbMjI3
    MjFdOiBDbGllbnQgNjkuNjQuNTcuMTggRmlsZSBub3QgZm91bmQgMDAwNGYyMDM0ZjZkLmNmZw0K
    QXByIDIxIDEyOjE4OjQwIGluLnRmdHBkWzIyNzIyXTogUlJRIGZyb20gNjkuNjQuNTcuMTggZmls ZW5hbWUgMDAwNGYyMDM0ZjZlLmNmZw0KDQpzbyBiYXNpY2FsbHkgYW4gc2VxdWVudGlhbCByZWFk IG9mIHBvbHljb20gTUFDIGFkZHJlc3MgY29uZmlnIGZpbGVzLg0KU29tZSBpcyB0cnlpbmcgdG8g cmVhZCB0byBkZXRlcm1pbmUgaWYgSSBoYXZlIGFueSBwb2x5Y29tIGZpbGVzIGp1c3Qgc2VxdWVu dGlhbCByZWFkIGFmdGVyIHJlYWQuDQpBbmQgaWYgc28gLSBpdCB3b3VsZCBnZXQgYW55IGV4dGVu c2lvbiBhbmQgcGFzc3dvcmQgYXQgdGhhdCB0aW1lLg0KTHVja2lseSBJIGhhdmUgbm9uZS4NCg0K
    SG93ZXZlciAtIGhvdyBkb2VzIG9uZSBibG9jayBhdHRlbXB0cyBsaWtlIHRoaXMgPw0KDQpUaGFu a3MhDQoNCkplcnJ5DQoNCg0KSmVycnksDQpDYW4geW91IGNoYW5nZSB0byBGVFAgUHJvdmlzaW9u aW5nLCBvciBIVFRQUyBldGM/IEF0bGVhc3Qgd2l0aCBGVFAgeW91IGNhbiBzZXQgYSB1c2VyL3Bh c3MgdG8geW91ciBkaXJlY3Rvcnkgd2l0aCBtYWMuY2ZnIHRvIHByZXZlbnQgb3BlbiBhY2Nlc3Mu DQo

  • This is old news. They use Shodan and then try to connect. Set up Fail2Ban that say after 10 404’s to ban the IP.

  • Hi, Jerry,

    I don’t know what S.O. you have in the Server, but you can check the man page (https://linux.die.net/man/8/in.tftpd) for tftpd and use the options
    –address, so you can tell tftp from what interface/port this service listen request.

    From the IP in your logs (69.64.57.18) the request came from a web hosting provider (http://www.heg.com/). So, the request came from Internet, so your server listen TFTP request from outside, what is bad.

    You can use iptables in any Linux distro to block incoming TFTP traffic. TFTP is a UDP protocol at port 69.

    Example:

    /sbin/iptables -A INPUT -i eth0 -p udp –destination-port 69 -j DROP

    Change eth0 to the correct name of your public internet server interface.

    2017-04-21 13:27 GMT-03:00 Jerry Geis :

  • Is that IP in your network or outside (I can ping it so I’m guessing it’s outside your network)? Do you have a firewall between your asterisk box and the internet? Is there a WHITELIST of IP addresses that only allow your provider’s limited IP pool to connect to your asterisk box from outside?

    If you are getting TFTP requests hitting your Asterisk box, they are not properly being filtered at your firewall – ftp and tftp are considered insecure communication methods, that port (69 I think) should be closed on your firewall unless you have a really good reason to have it opened (and unless you run a public FTP site, THERE IS NO GOOD REASON).

    Fail2Ban is a BLACKLIST method, blacklists are most effective after good network hygiene is implemented, as you drastically limit the pool of potential bad actors with a whitelist.

    Best,

    -Tim

  • Hi David, Tim,

    Try to use Bail2Ban at last resort. Fail2Ban is a ractive approach, that permit the traffinc AND ONLY BLOCK them after certain level triggered.

    Use iptables to block the unused services faced to public networks like Internet. And configure these services properly, so they listen only selected interfaces and IPs, and not from 0.0.0.0

    2017-04-21 13:47 GMT-03:00 Tim S :

  • Exactly.

    If one’s external access control is set correctly, you should basically never see any outside attack traffic at your Asterisk box (you’ve see it in the firewall logs instead).

    Following the concept of “least privileges” is where you should start if you have Asterisk attached to a SIP service you pay for. If you have one SIP provider, the only IP address (or IP pool/range) that should talk to your Asterisk box from outside your firewall is exclusively the servers of your SIP provider. Everything else should be “dropped” (no response at all).

    Google “GRC Shields Up” and run that free port scanner to see what you have open, closed or what they call “stealth” (dropped). If a firewall is setup correctly, port 5060 should appear “stealth” from any IP address other than your service provider.

    You can also Shodan yourself: “https://www.shodan.io/host{yourPublicIP}” –
    but Shodan doesn’t tell you whether the packets are dropped or rejected. In general you want your public IP to only show services on Shodan that you intend every random request to get access to – for example a public web server on port 80 and 443.

    It’s a good idea to review these resources often (once a quarter, once a month, once a week – your choice), especially after any software or hardware changes on your network. You may find something has been misconfigured at installation, that you would need to address.

    Best

    -Tim