Hacking Attempts ???

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Hacking Attempts ???

Postby tarundas » Fri Aug 26, 2011 3:49 am

What is this ? And what they want ?

Code: Select all
 --------------------- SSHD Begin ------------------------

 SSHD Killed: 1 Time(s)

 SSHD Started: 2 Time(s)

 Failed logins from:
    61.136.68.83 (83.68.136.61.ha.cnc): 3115 times # over 3 thousand attempts ! HOLY SHIT!!! China
    110.45.138.170: 75 times # ( Korea)
    114.112.184.150: 344 times # (China)

 Illegal users from:
    61.136.68.83 (83.68.136.61.ha.cnc): 32 times
    110.45.138.170: 27 times
    114.112.184.150: 187 times

 Users logging in through sshd:
    root:
       59.93.xxx.xxx: 12 times # ( That's me! from home)


 Received disconnect:
    11: Terminating connection : 2 Time(s)


 SFTP subsystem requests: 13 Time(s)

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user testuser : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user dave : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user desktop : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user vpn : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user tester : 3 time(s)


 ---------------------- SSHD End -------------------------
tarundas
 
Posts: 62
Joined: Wed Nov 25, 2009 3:02 pm
Location: Calcutta

Postby williamconley » Fri Aug 26, 2011 9:09 am

they want to steal your babies.

use yast firewall to lock out EVERYONE from ALL ports unless they are on an authorized IP address. add authorized IP addresses (both tcp and udp for each address) in custom (at the bottom of the yast firewall settings).

remember that it is easy to lock yourself out, so be IN the office when you set it up. this requires turning OFF all allowed services (and Advanced allowed services).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby boybawang » Sat Aug 27, 2011 3:48 am

you can explore using Fail2ban
Vicidial Installation + Configuration + Support + Custom Development
Download my ebook on installing vicidial for free http://download.vicidial.com/ubuntu/VIC ... 100331.pdf
skype: deodax.cordova@gmail.com
m: +639172063730
boybawang
 
Posts: 989
Joined: Sat Nov 14, 2009 1:18 pm
Location: Dumaguete City, Negros Oriental, Philippines

Postby williamconley » Sat Aug 27, 2011 12:06 pm

boybawang wrote:you can explore using Fail2ban
true.

yast firewall is built in, but has "lockdown" or "open" as possibilities, whereas fail2ban can "learn" and lockout offenders. but it can also lock out good guys who put the wrong entry into their soft phone for registration (which can result in locking out an entire ROOM of agents, so be careful with ANY dynamic security system!).

A couple others:

Advanced Policy Firewall
Brute Force Detection
Denial of Service Deflate
Rootkit Detection

Some instructions here, but use google for more help:

http://www.topwebhosts.org/tools/apf-bf ... ootkit.php
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby tarundas » Sat Aug 27, 2011 2:08 pm

Really? :) I thought they already have more babies than any other place -LOL
( China, Birth rate 31.67 births/1,000 population) actual

Thank you William :)

Well, What resources they can steal/hack? Our public IP is mapped with voip provider and we dial 3 shifts so someone (admins) is always watching the campaigns and 'real time summery' so our voip minutes are safe I hope. They want our leads ? or Campaign details? I am just curious !

Thank you again for your replies William and boybawang. I will try those firewalls and will post back the results. But it will take some time as I am not familiar with them at all.
Last edited by tarundas on Sat Aug 27, 2011 2:47 pm, edited 1 time in total.
tarundas
 
Posts: 62
Joined: Wed Nov 25, 2009 3:02 pm
Location: Calcutta

Postby williamconley » Sat Aug 27, 2011 2:47 pm

having someone watch a screen that "outside vicidial" (manual calls) do not show up on will not "protect your minutes". If they get into your box the odds are that they will cap $2k before you "catch on" unless you have some monetary system in place to stop them (for instance: you cannot make international calls ...).

we have several clients who came to us specifically for the "lockdown" after losing roughly $2k, and several more who came to us because the "failed" calls and/or failed login attempts disrupted the vicidial system enough to render it unusable (DenialOfService, DOS, resulting from Brute Force login/registration attempts).

Lock it down NOW.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby tarundas » Sat Aug 27, 2011 3:18 pm

OOOPS!!! I missed that point. yes I got it.
Thank you William. You are the lifeline of vicidial community.
tarundas
 
Posts: 62
Joined: Wed Nov 25, 2009 3:02 pm
Location: Calcutta

Postby williamconley » Sat Aug 27, 2011 4:06 pm

Nah. I'm just an arrogant noisy guy. Ask my kids.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby sobek » Mon Aug 29, 2011 3:22 am

Off cours firewalls are the most important but after I forgot to turn on firewall after some testing one thing that saved my minutes was a dial plan that was allowing calls only to my country with 9 digits.


In one hour they tried 4196 combinations to dial out.
sobek
 
Posts: 11
Joined: Tue Jun 08, 2010 1:33 pm

Postby williamconley » Mon Aug 29, 2011 6:59 pm

Under 10k. An amateurish attempt.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby middletn » Tue Sep 06, 2011 4:50 pm

It's a real problem. We had some guy in china probe all our vicidial servers over the last few days, fail2ban caught them, but it's becoming a real pain in the A*** It's not a vicidial issue though, more Asterisk being a little too helpful.
middletn
 
Posts: 34
Joined: Fri Apr 18, 2008 3:27 pm

Postby williamconley » Tue Sep 06, 2011 6:31 pm

Problem being that fail2ban may catch them, but that often does not stop the DOS result (your firewall dropping packets still fills your "inbound traffic limit"). So having rejected the packets from the beginning would likely have caused them to NOT attack in the first place.

I have actually had situations when I had to turn on traffic shaping and limit the bandwidth on the attack to regain use of the server ... until after the attack, then set the system to stealth (drop all unauth packets) before the next attack which USUALLY stops the next attack before it starts. I've had a couple occasions where this process took a couple days. ouch.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Hacking Attempts ???

Postby ctc_olsen » Wed Apr 09, 2014 9:39 am

Code: Select all
--------------------- SSHD Begin ------------------------

 SSHD Killed: 1 Time(s)

 SSHD Started: 2 Time(s)

 Failed logins from:
    61.136.68.83 (83.68.136.61.ha.cnc): 3115 times # over 3 thousand attempts ! HOLY SHIT!!! China
    110.45.138.170: 75 times # ( Korea)
    114.112.184.150: 344 times # (China)

 Illegal users from:
    61.136.68.83 (83.68.136.61.ha.cnc): 32 times
    110.45.138.170: 27 times
    114.112.184.150: 187 times

 Users logging in through sshd:
    root:
       59.93.xxx.xxx: 12 times # ( That's me! from home)


 Received disconnect:
    11: Terminating connection : 2 Time(s)


 SFTP subsystem requests: 13 Time(s)

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user testuser : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user dave : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user desktop : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user vpn : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user tester : 3 time(s)


 ---------------------- SSHD End -------------------------


Sorry to bump this up but what command is this? Or do we need to install something first?
VERSION: 2.4-309a BUILD: 110430-1642 (Upgrade from CE 2.0,ISO) | Asterisk 1.4.27.1-1 | VmWare vCenter Server Ver 4.1.0| No additional software | No Digium/Sangoma Hardware
ctc_olsen
 
Posts: 65
Joined: Tue Jul 24, 2012 7:34 am

Re: Hacking Attempts ???

Postby geoff3dmg » Thu Apr 10, 2014 3:17 am

That looks like the output from a piece of software called 'Logwatch'. It analyses your server logs and sends you an email report of anything it deems interesting.
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK

Re: Hacking Attempts ???

Postby williamconley » Tue Jun 10, 2014 1:51 am

Whitelist your firewall system. Do not rely on automated systems to "catch" the problem. No one should be on your system unless you have expressly authorized their IP address to be there. This is not a Public Web Server, it's a dialer. In the old days there wouldn't even be any access outside the ROOM much less outside the country.

That being said, we have Dynamic Good Guys for Vicibox, which can be adjusted for GoAutodial ... but I recommend just installing Vicibox and using it there. You CAN back up your DB, install Vicibox, install your DB and then upgrade your DB to match your new Vicidial code. Then install DGG and you have a fresh new system that's secure. :)

http://www.viciwiki.com/index.php/DGG

http://www.viciwiki.com/index.php/Whitelist (if you just want a "lockdown")
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 24 guests