Server Hacked

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Server Hacked

Postby mubeen » Fri May 04, 2018 4:28 pm

Hi,

I have ViciBox v.8.0.1 installed
VERSION: 2.14-667a
BUILD: 180331-1715

I guess my server has been hacked, somehow someone is making calls to some random number and drains all my balance. First it was 6001 extension and now it was 601. How can I protect it?
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
mubeen
 
Posts: 116
Joined: Mon Feb 19, 2018 1:49 pm

Re: Server Hacked

Postby williamconley » Fri May 04, 2018 4:52 pm

http://viciwiki.com/index.php/DGG

Note that DGG is optional. It begins with whitelist lockdown. DGG is just to make that easier to work with after the fact.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Server Hacked

Postby thephaseusa » Fri May 04, 2018 5:03 pm

Hi mubeen,

Sorry to hear that. Can you share with us how they did it? Were these extensions something like user 6001 password 6001?

Also the link William just posted for you will solve your problem. Once you have DGG set up, run journalctl -f -k on your asterisk server and make sure everything shows DROP except from IPs on your network or whitelisted IP addresses.

Also if you search this forum you will find several posts about Dynamic Good Guys and how to install it.

John M
thephaseusa
 
Posts: 345
Joined: Tue May 16, 2017 2:23 pm

Re: Server Hacked

Postby mubeen » Mon May 07, 2018 9:20 am

Not sure how they did that, and phone extensions and passwords were different. Although passwords were same for user login, phone login and phone registration.

I did changed the SSH port and SIP registration port (which default is 5060)

Now I have implemented a script to add IPTables and blocked all external IP's except for DID IP's, Outbound trunk IP's and ISP IP pool
Also changed all the passwords
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
mubeen
 
Posts: 116
Joined: Mon Feb 19, 2018 1:49 pm

Re: Server Hacked

Postby williamconley » Mon May 07, 2018 10:49 am

Verify the IPs of those who made the previous calls are not on your whitelist in case of social hacking, bad employees, bounce of sip channels through an agent location, or even a bad carrier.

Also verify that your inbound calls are in context "trunkinbound" so inbound carrier calls can't become outbound calls through another carrier. In fact, all sip account entry contexts should have context=trunkinbound regardless of whether the carrier is inbound or not (since outbound calls don't use that setting, only inbound) to be certain that no carrier accounts can slip into outbound mode by accident or on purpose.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Server Hacked

Postby mubeen » Tue May 08, 2018 2:02 pm

I found few IP's from Palestine, have blocked the whole subnet. Also have only white-listed required IP's and all ports, only allowed RTP ports (10000-20000) publicly as I was getting one-way voice until I allowed them publicly.

my inbound and outbound providers are separate, also all call's do go to context "trunkinbound"
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
mubeen
 
Posts: 116
Joined: Mon Feb 19, 2018 1:49 pm

Re: Server Hacked

Postby williamconley » Tue May 08, 2018 3:56 pm

mubeen wrote:allowed RTP ports (10000-20000) publicly as I was getting one-way voice until I allowed them publicly

This means you must find the audio signal IPs and whitelist them as well. Otherwise, the script kitties will portscan and attack your UDP ports as well. It's just a matter of getting ALL the IPs for your carrier(s) whitelisted. Some carriers will just give you a list. Others rotate IPs in a way that makes their subnet fairly obvious. Yet others have non-related IPs passing audio from their upline and require investigation to get the IPs one at a time.

Start by asking your Carrier's for ALL their audio IPs. If they refuse to give you a comprehensive list, reward them for their candor by ... using iftop to get the IP of the audio channel, look up each new IP to find out who owns it, and call that new Carrier and see if they want your service at a lower price (cutting out the middleman can get you lower pricing).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Server Hacked

Postby mubeen » Tue May 08, 2018 6:13 pm

Thank You for the detailed reply, I have requested the provider for list of audio IP's as well.
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
mubeen
 
Posts: 116
Joined: Mon Feb 19, 2018 1:49 pm

Re: Server Hacked

Postby teleinx » Tue May 08, 2018 8:31 pm

williamconley wrote:Start by asking your Carrier's for ALL their audio IPs. If they refuse to give you a comprehensive list, reward them for their candor by ... using iftop to get the IP of the audio channel, look up each new IP to find out who owns it, and call that new Carrier and see if they want your service at a lower price (cutting out the middleman can get you lower pricing).


Most defiantly not a solution and a waste of time. You may see hundreds of IPs from many many different carriers media IPs. If you choose to call them and tell them you do 30,000 minutes per month they will either refuse your business or give you a retail rate which will be most likely comparable to what you're paying now. Don't assume that if you find out who your carriers carrier is that you will score the lower rates. Your carriers entire business relays on volume. Unless your working with millions of minutes per day your not going to get "wholesale carrier" pricing.
Focus on the real issue which is securing your equipment.
VoIP carrier spesilizing in vici dial.
Outboud VoIP Termination | Inboud VoIP Origination | Carrier Data Services
Website: http://www.teleinx.com
skype: teleinx inc
teleinx
 
Posts: 55
Joined: Fri Apr 08, 2016 7:44 pm
Location: Miami, FL

Re: Server Hacked

Postby williamconley » Tue May 08, 2018 8:50 pm

teleinx wrote:Most defiantly not a solution and a waste of time. You may see hundreds of IPs from many many different carriers media IPs.

Shots fired. OK:

Any carrier who takes this position is not actually a carrier, but an aggregate whose servers are only handling signalling and then upcharging you for their "service" which is merely a billing service.

Having several dozen subnets open because the carrier in question has a lot of available upline aggregated carriers is fine. If they are not comfortable giving out "the list", it's because they are nervous that you'll bypass them. So if the carrier says "we have too many ips to list" say "cool". Open your UDP ports and get calling. During this however: get the IPs from which their audio emanates, and call those uplines and become your own aggregate. Cut out the middleman. Then ... close the ports!

iftop and several other tools are available from which you can get the list. You can also use the iptables logging system to get a list of IPs (whether or not they are blocked: Logging all new connections on UDP ports is possible, and then harvestable and "whois"able. 8-) ).

Reputable carriers will provide a list, as a rule. Because you can't call their uplines and get service unless you are going to use a million minutes a week.

But we've only dealt with a few hundred carriers over the last decade in the business. So what do we know.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Server Hacked

Postby thephaseusa » Tue May 08, 2018 9:30 pm

But William if you use DGG those RTP IP addresses are allowed because you whitelisted the carrier IP and they are related or established connections of the original carrier correct? Otherwise DGG would DROP them right?
thephaseusa
 
Posts: 345
Joined: Tue May 16, 2017 2:23 pm

Re: Server Hacked

Postby williamconley » Tue May 08, 2018 9:37 pm

related or established connections

Doesn't always work for these. In fact, usually doesn't.

If you have an existing connection to one IP on port 5060 ... and a new connection is made on port 12355, iptables has NO way to know this is in fact "related".
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Server Hacked

Postby thephaseusa » Tue May 08, 2018 9:51 pm

So reading about the asterisk security advisory about RTP traffic recently, I noticed in my asterisk cli regular reports of something like “determining rtp source then a few ip addresses are listed”. And those seemed to change too. In DGG if these IPs arent whitelisted how are connections to asterisk being established?
thephaseusa
 
Posts: 345
Joined: Tue May 16, 2017 2:23 pm

Re: Server Hacked

Postby williamconley » Tue May 08, 2018 10:06 pm

outbound requests open ports without DGG permission.

related requests open ports without DGG permission.

But "relating" is not always viable on inbound calls. If your server didn't initiate the signal ... it's questionable and DGG is needed to fix the questions based on IP.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Google [Bot], Majestic-12 [Bot] and 144 guests