vicidial.org

[carpenox]

Yes, so this new exploit is affecting a lot of people and I woke up this morning to more messages than ever about people in our community's campaigns not showing any way to dial and lists area of menu area totally gone. I am working on a remediation plan to release to the public, but for now, do these things.

1. Run this command in linux cli: mysql asterisk -u cron -p1234 -e "update system_settings set outbound_autodial_active='1'"
This will turn dialing and lists back on, you can also just go into admin > system settings and go down to "outbound autodial" and change it to 1

2. If you are not using VERM or chat, rename those directories because this is the way they are getting in, and even those of you who did update your servers, it can still cause you headaches with your 6666 user getting locked out from hack attempts. (copy 6666 user to another name and delete 6666 user) If you are using them, make sure you update your SVN to latest.

3. Close HTTP/HTTPS to your trusted zone only. Only the dynamic portal port should be open on public zone.

Here are some current articles that will help you better understand and fix your systems. New article for remediation plan of action coming this week.

About this exploit - https://dialer.one/august-2024-vicidial ... ty-update/

Secure your system correctly - https://dialer.one/how-to-secure-vicidi ... ly-part-1/

Using the dynamic portal - https://dialer.one/how-to-use-the-built ... r-vicibox/

How to update your SVN - https://dialer.one/how-to-update-your-v ... ubversion/

Hope this helps

Chris

[Acidshock]

Yeah just dealt with 3 servers today that had this issue. Also heard from other people having the same issue too.

[JakeBelieve]

Thanks for the input, this is something I'm still currently dealing with. They got in twice. Once yesterday and once on Sept 16th. I was trying to figure out how a strict whitelist wasn't working or who I had let do this. I appreciate the post and any updates on methods to completely eradicate.

[carpenox]

if you have updated to the latest SVN, it should not be happening, make sure to update all servers if its a cluster. You can also just remove the VERM folder altogether, msot people do not use this feature anyways and thats how the enumeration process is gaining hackers access. As far as whitelist goes, not leaving http/https open to the public zone will eliminate all hacker possibilities for these exploits. Feel free to join my skype group for additional questions if you'd like.

[williamconley]

Thanks for the input, this is something I'm still currently dealing with. They got in twice. Once yesterday and once on Sept 16th. I was trying to figure out how a strict whitelist wasn't working or who I had let do this. I appreciate the post and any updates on methods to completely eradicate.

Whitelist always works unless: You allow the hacker inside your firewall or leave something open. One of those two must be true.

Check logs, find the IP of the hacker. Be sure they're not allowed.

And be sure mysql credentials are ALL IP locked (not "%"/any ip entries)