So I got hacked. ..

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

So I got hacked. ..

Postby outofnecessity » Mon Dec 29, 2014 11:10 pm

First of all, what a way to introduce myself.
Secondly, thank you to this forum and the whole vicidial community for a wonderful system that allows so many out there to use a powerful call center enterprise app without the enterprise budget!

So I've been working my way up through IT, and one of my fears had always been VOIP. I started to learn a bit about asterisk when it first came out, but I was like 17 and didn't care. Now ten years later I'm balls deep in VOIP out of necessity. I somehow landed this job from a recommendation from a friend because this company had lost their tech. So I came out of nowhere, breaking root on their servers because they didn't trust the last guy working on it. And there I am, scared out of my mind with the one thing I knew little abiut, VOIP.

I've had experience for years with Linux and webdesign, and all that side of tech, but this was a new chalkenge.

Anyway, vicidial is what they used and I had to do what I had to do, learn it.

So now months of steadiness and everything under control and finally learning how extensions work, sip, the asterisk server, etc.

And today we go to re up our minutes and within an hour we burned through 309 dollars.... I was at a lost. And so was the carrier. Until their tech sent us our car log.. and we had thousands of calls to the artic north... yeah, the middle of nowhere canada.

From there, thanks to the wealth of information archived in these forms I figured to check the logs, and finally found the weaklink, a test extension on our system setup by the previous guy with the strong password of "test"...

Looking at the log I saw the attackers trying various extensions and pass codes to get through. If we were not set up as prepaid, we wouldn't of found out of this until our next invoice and would of been liable for thousands... it's crazy.

I just wanted to share my experience with the forum,
introduce myself and say hi!

Sorry if this post is potato quality as its from my phone.

Also I was curious if someone could explain this log entry...

[Dec 28 07:49:23] NOTICE[12799] chan_sip.c: Registration from 'X.X.X.X 322 1234<sip:200@X.X.X.X>' failed for 'X.X.X.X' - No matching peer found

I get most of it, it's from our attackers, the last ip address is from the attacker, the second , with the preceding @ is the sip registration attempt to our server.

But what is that first IP address? Is it a hop through the I ntetnet? The ip address is from some backbone isp from Pennsylvania. Can someone she'd some light?

I am just curious, I saw the originating ip being from overseas, just curious as to that first ip address and what it is from I relation to the sip registration process.

Thanks for listening. .it rather reading, my ramble.
outofnecessity
 
Posts: 2
Joined: Mon Dec 29, 2014 10:34 pm

Re: So I got hacked. ..

Postby williamconley » Tue Dec 30, 2014 1:44 am

White List Lock your server.

http://www.viciwiki.com/index.php/Whitelist

After you are done, only those that YOU have specifically allowed (via IP address) will have access to your server. You may need to reboot if you've already been sip attacked.

And for insurance, change all your passwords (phone registrations, users, ssh, ftp if you're using it).

Dynamic Good Guys is one way to make it smoother and easier to administer after you lock it down (free, we published it years ago). http://www.viciwiki.com/index.php/DGG
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: So I got hacked. ..

Postby outofnecessity » Tue Dec 30, 2014 9:26 am

Cool, thanks for the heads up. I'm now setting all users with a unique complicated password. And removing or disabling unused sip exentions. I'm configuring fail2ban and have locked down our network. This morning we were being brute forced attacked for 5 hours non stop. Its one of those things I told myself, nah, what are the chances?
outofnecessity
 
Posts: 2
Joined: Mon Dec 29, 2014 10:34 pm

Re: So I got hacked. ..

Postby vccsdotca » Tue Jan 27, 2015 9:09 am

In case you're still wondering, the chances should be impossible with your inclusion of fail2ban they should be blocked after 3 attempts or as per your jail.conf. It's best to test your fail2ban out either way to ensure its working (ie; ban yourself).
Matt Martin
VoIP Guru
nurango
https://www.nurango.ca
----------------
Open-Source Hosting & Support | SIP Trunking | DIDs
vccsdotca
 
Posts: 116
Joined: Mon Sep 15, 2008 5:42 pm
Location: Montreal, QC Canada

Re: So I got hacked. ..

Postby GDelkos » Tue Jan 27, 2015 11:42 am

hello there
deny host is also a good choice and ofc whitelist!
its always a good method (IMHO) to setup a honeypot server (a server setup so you can check if ur security settings are good enough).
as soon as port scanners see vici (open ports like 5060) they gonna attack you day and night!
i have a list of banned ips from china and other suspicious places populating all day long!
a small tip...why allow these ips have access since you already know the ones you need to let pass.
GDelkos
 
Posts: 67
Joined: Tue Dec 02, 2014 8:50 am


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 110 guests