vicidial.org

[shirker]

Hi, guys
Just wanna share my experience. I didn't restrict access through the web, so I have been hacked through some vtigercrm module.
This is how they got config file when server was overloaded by DDOS attack:

Code: Select all

12.237.27.3 - - [17/Jul/2012:05:58:10 -0400] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..etc/asterisk/sip.conf%00 HTTP/1.1" 200 6780 "-" "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
12.237.27.3 - - [17/Jul/2012:05:58:10 -0400] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..etc/asterisk/sip-vicidial.conf%00 HTTP/1.1" 200 6730 "-" "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/06.5"
12.237.27.3 - - [17/Jul/2012:05:58:11 -0400] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..etc/asterisk/extensions.conf%00 HTTP/1.1" 200 25732 "-" "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0..5"


I dont even know how they get 200(ok) response. I've tried to retrieve this URL by myself, and I always receive 500(error)

[williamconley]

Excellent post. They may have had other post data in the request, I suppose. Or this may have been a tool used to overload the server to acquire data through another port due to the overload.

Another reason to lock the vTiger folder and/or the entire server.

It is possible to put a "company password" on the vTiger folder to restrict access to that folder without actually performing a full lockdown, but once you are a target a full lockdown (whitelist access only) is really your only solution to avoid problems.

Hope it works out.

You would also post your version information so those with the same version can "assess their risk" better ...

[shirker]

I've already removed that server, so I can't post the exact version, but it was latest build on SUSE x64 from vicibox.com with agc 2.6b0.5

BTW, I'm not really good IT, so i didn't get, HOW they do the server overloading. I've tried to run tcpdump, but I was not able to see anything weird there. It happened suddenly. Asterisk went down with "out of memory" in log, then httpd-prefork and mysql logged the same. In "top" load average reached 50%, Swap 100%, wa(input/output queue) was 94%. My guess was a HDD failure. I tried to check with smartctl and hdparam. Everything was fine. So for me it's still a secret.. They just stole sip configurations and dialplan entries, so they have made few calls through our account in GrnVoIP to Dominicana. Others SIP accounts were bound by IP to providers. Luckily, they didn't connect their servers as SIP phone. Otherwise we could lose much more.

And why I'm sure, that server got overloaded accidentally, because at that time we had only two or three agents logged in. And they reported, that line was suddenly cut off

[williamconley]

the normal "overload" results from a brute force password attack. you may find a huge number of failed asterisk sip registration attempts in the /var/log/asterisk logs or a huge number of ssh login failures in /var/log/messages. The massive number of attempts at login can result in overloaded cpu. the result of this to YOU is a Denial of Service (although that is not the goal in these attempts, they just used all your CPU or bandwidth and the result was DOS). Their goal is to get a username and password pair to match so they can either make calls through your server or "take over" your server (for use in a botnet or data theft).

sip configuration often contains USER / PASS for your carrier ... which means they could try to pass calls with your credentials and spend your money. If the IP address is locked at the carrier ... they will try to use your server for a "stun" server in the future (bouncing calls through your server's IP to your carrier so the carrier will consider them pre-authenticated).

whitelist time.

[shirker]

For those guys, who's trying to scan for available sip accounts, i've made some script, but tested/working for CentOS only.

Code: Select all

#!/bin/bash

for i in `tail -200 /var/log/asterisk/messages | grep -v "for '192.168.18" | grep "No matching peer found" | awk '{print $11}' | uniq | tr -d \'`; do
     VAR=`/sbin/iptables -nvL | grep $i | awk '{print $8}'| uniq`;
     #echo $VAR;
     #echo $i;
        if [ "$VAR" = "$i" ];
            then
                echo "This IP:$i is already in blacklist"
        else
            /sbin/iptables -A INPUT -s $i -j DROP
            /sbin/iptables -A OUTPUT -s $i -p ip -j DROP
            /sbin/iptables -A OUTPUT -s $i -p udp -j DROP
            echo "IP $i has been blocked"
        fi
done


Will block all IPs except clients from network 192.168.18.XXX, that have received message "No matching peer found"
Just need to add this script to crontab and run every 2-5min.

Code: Select all

*/2 * * * * /usr/share/astguiclient/sip_ip2block.sh >>/var/log/sip_ip2block


[williamconley]

you just REALLY don't want to set up whitelist ip tables, do you? LOL

you must also perform this task for ssh failures, then. brute force happens on more than just sip (and will shut down your server just as bad regardless of the protocol in use!)

[shirker]

you just REALLY don't want to set up whitelist ip tables, do you? LOL

I mean, this is in case, if you can't design whitelist for some reason. Example: If you do have home-based agents, that dont have dedicated IPs.
So there will be those ports opened
UDP 5060
TCP 80
UDP 10000-20000
Then will be very useful mentioned script+fail2ban

For now we dont have freelancers anymore. So we've blocked everything from internet.

Useful command to get IP addresses list of all SIP trunks, that need to add to whitelist:

Code: Select all

cat /etc/asterisk/sip* | grep host= | grep -v dynam | awk -F"=" '{print $2}'

[williamconley]

We also have a "dynamic good guys" system we use to have a page on port 81 that can add an authorized ip address thus unlocking ports 80 (with the real vicidial website) and 5060 etc for sip communications. It is even possible to put this script on another server to avoid any exposure on the Vicidial machine.

[shirker]

We also have a "dynamic good guys" system we use to have a page on port 81 that can add an authorized ip address thus unlocking ports 80 (with the real vicidial website) and 5060 etc for sip communications....

Thats really good idea Even possible to run there something, like lighthttpd on that port, that wont be crossing with apache and its user. This is what i need to work out in future.

[williamconley]

look at xt_recent (iptables module). With that you can have a "good guy" list that can be added to without restarting/reloading etc.

Adding and removing entries is easy and the resulting "list" can be used in filters in iptables to authorize or fail.

Creating a table to manage them will give you the ability to restart/reload these entries on reboot in addition to "no hesitation" add and delete. On the other hand, most of our clients prefer "forget" on reboot so the dynamic entries are forgotten and the clients need to authenticate again each day.