Trixbox Hacked


We have a Trixbox and its just been hacked, we have the trixbox on VMWare running on our server, the trixbox was on its own public IP but on same network as the server, i.e. server and trixbox. The hacker has it seems created an new extenstion (200) and been connecting to this extension and making international calls. The trixbox was locked down to only allow traffic on UDP (all ports).

Can anyone help and assist in:

A. How do I check my config to see if there are open/security wholes
B. Can I run a report and get IP addresses of the user who connected in?
C. Is it safe to have the trixbox on the same server
D. Can i find out how the user got connected?


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if an extension is connected its IP shows up in the GUI for Trixbox, surely. I can't recall exactly what and where but I do remember being able to see the active SIP and IAX sessions and their endpoint addresses.

Have you changed the passwords from the defaults ?

You may find helpful.

If the Trixbox IP is separate then there's little direct risk to the VM host.
DHTSAuthor Commented:
Hi, thanks. The trixbox is offline at the moment so I need to get history of ip that was used to connect into the system an make these calls last week.

If someone hacked the system via the public ip of the actual server, wouldn't it be easy to access the trixbox vmmachine as it's in the same subnet? We had the system setup by someone and don't know if it's been done correctly.

I think it must have happened via voicemail so I've been told. I need to write up what's happend so need to find out all the info of the hack as much as possible.

Thanks again

There was a vulnerbability in the voicemail application at one point that compromised boxes. it was usually the fault of having insecure passwords.

My suggestion is to:

1. Upgrade to the newest version of Trixbox if you have not done so already
2. check the logs. /var/log/asterisk/ should contain the logs of sip authentication attempts against your system. It should be reletively obvious when you find the offending IP address because it will have been a brute force attack over and over from the same IP or same subnet.
3. If Trixbox support it (I believe it runs CentOS or a version thereof) you need to firewall / filter all SIP connection except those from known sources if possible. If possible, I recommend ufw (uncomplicated firewall); however, that may only be an Ubuntu application.  The point is... deny from unknown IPs.
4. Make sure you have ridiculously strong passwords for your SIP accounts. 16 characters, uppercase, lowercase, and symbols.

The next possible issue is that you had weak passwords in the amp portal or the GUI itself. If they created a new extension that is actually showing up in the portal itself, then they cracked your password from your webgui. Anything less than 10 characters is fairly easily crackable especially with dictionary ciphers, so if you used words in your password and had it on a public IP... it was only a matter of time. Again, if you only allow HTTP / HTTPS traffic from a known good subnet, this becomes a moot point because you could use Banana as you password and it wouldn't matter from the outside because the packets would be dropped before authentication would even have the opportunity to take place. (PS... don't use banana as your password. Period.)

Bottom line... you need to check your logs to see what probably took place.

See / post  logs from:

Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

DHTSAuthor Commented:
thanks, i dont have much knowledge of linux cli, the server have a webadmin console (freepbx) i can access, im trying to get the logf files from the var directory, is there an easy way via a browser or this freepbx (is freepbx trixbox??).

also on the home page of freepbx it says  "Warning: You are running freePBX and asterisk with the default manager pass. You should consider changing this to something else. (Help)

Warning: You are running freePBX and mysql with the default password (Help)

to login into the CLI ( this trixbox :), the root and maint passwords are changed and are not system default.

sorry to be a pain, but I have to report to the directors why the system allowed someone to ring up over £1000 of international calls, I would have thought the telco provider would have blocked them sooner!

can I retrieve the user/voicemail passwords for the CLI so i can see what they are?

Version of trixbox/freepbx/centos is:

CentOS release 4.4 (Final)
Kernel 2.6.9-34.0.2EL on an i686

Thank you.
DHTSAuthor Commented:
ive just gone through the freebx web interface, and under all the extensions, there is a box that says...this device uses sip technology and the box under neath thats labeled "secret" has the extension number in. is this the sip password!! if so do you think this is how they got access.

also is it possible to find out ehen and who created my extension 100 (the extension that was used to make all the internation calls). would you say that someone got in via the web console and created and extension and connected to it. how could this happen if only UDP (all ports) were open to the trixbox public IP?

could they have got in via the server LAN card (HTTP) and got access to the VMWare card of the trixbox as they were in the same subnet, i.e and


DHTSAuthor Commented:
found the log files, theres hundreds. below are some extracts. highest day was 21/June

Note extension 100 isnt a used extension, it just says test. in none of the log files it shows IP address of the call made only the extension i.e. SIP/100-09d71b10. The secure logs are empty or zero bytes.

845xxxxxxx      672372752      from-internal      845xxxxxxx      SIP/100-09d71b10      SIP/outbound-09d91420      Playback      pls-try-call-later|noanswer      21/06/2010 23:45            21/06/2010 23:45      3      0      FAILED      DOCUMENTATION
845xxxxxxx      672372751      from-internal      845xxxxxxx      SIP/100-09d71b10      SIP/outbound-09d91420      Playback      pls-try-call-later|noanswer      21/06/2010 23:47            21/06/2010 23:47      3      0      FAILED      DOCUMENTATION

845xxxxxxx      672372751      from-internal      845xxxxxxx      SIP/100-09d5eb58      SIP/outbound-09d76d20      ResetCDR      w      21/06/2010 23:27      21/06/2010 23:28      21/06/2010 23:48      1210      1201      ANSWERED      DOCUMENTATION
845xxxxxxx      672372751      from-internal      845xxxxxxx      SIP/100-09d6c150      SIP/outbound-09d840a0      ResetCDR      w      21/06/2010 23:28      21/06/2010 23:28      21/06/2010 23:48      1214      1201      ANSWERED      DOCUMENTATION

Access_log (httpd)
------------- - - [20/Jun/2010:16:11:37 +0100] "GET HTTP/1.1" 404 296 "" "webcollage/1.135a" - - [21/Jun/2010:01:06:19 +0100] "GET HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv: Gecko/20080201 Firefox/" - - [21/Jun/2010:10:29:03 +0100] "GET HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" - - [21/Jun/2010:17:05:11 +0100] "GET /xmlservices/PhoneDirectory.php?locale=English_United_States&name=SEP001E4A0BACA9 HTTP/1.1" 200 500 "-" "Allegro-Software-WebClient/4.34" - - [22/Jun/2010:16:10:17 +0100] "GET HTTP/1.1 HTTP/1.1" 400 305 "-" "Toata dragostea mea pentru diavola" - - [22/Jun/2010:16:10:17 +0100] "GET /e107_files/e107.css HTTP/1.1" 404 296 "-" "Toata dragostea mea pentru diavola"

Error_log (httpd)
[Sun      Jun      27      04:02:07      2010]      [notice] Digest: generating secret for digest authentication ...
[Sun      Jun      27      04:02:07      2010]      [notice] Digest: done
[Sun      Jun      27      04:02:08      2010]      [notice] Apache/2.0.52 (CentOS) configured -- resuming normal operations
[Sun      Jun      27      07:39:47      2010]      [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun      Jun      27      08:11:23      2010]      [error] [client] File does not exist: /var/www/html/mysql

The trixbox is offline and is going to be rebuilt, so if any personal information in the logs will be redundant and changed.

Sorry about the multiple posts.


If you don't have Linux knowledge, then the only thing you can do is reinstall the box.

Since you did not change the default user /pass, that means the hackers have not only gained access, but elevated privileges, and you no doubt have a root kit or a backdoor on the system because I guarantee they are maintaining access. Moreover, they now have access to your entire network via SSH tunnels. It is possible your ENTIRE network has been compromised.

Your only choice is the wipe the hard drive (or VM in this case) and completely re-install Trixbox on a clean setup.

I hate to be the bearer of this bad news, because it sucks, but without the skill set to fix the issue, a re-install is the only way to go. It's also faster.

Oh... and don't bother backing up your configs to restore them later, that will leave you open to attack again. You will need to actually re-setup the box. (of course you could try it if  you want to risk another 1,000 pounds in long distance).

After you re-setup the box, I would highly advise that you harden the box. There is nothing wrong with having your Trixbox on a public IP, but leaving the DEFAULT password set is like having a pile of gold in your house, then removing all the doors and putting signs up in your front yard that says "Please don't take my free gold that is in my house. I don't own a gun and I am not home. I am trusting all of you out there to leave my gold alone. It's shiney and pretty and mine. Please no touchy..... and oh.... if you do take my gold, I won't be able to punish you, but instead I will have to tear my house down and rebuild it from scratch."

As far as the other machines on the network, if they have weak passwords, you are now the proud owner of an entire network audit.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
the "secret" on an extension is the password used to allow a SIP session to be established with that extension as the ID. The practice of putting the extension number in as the password is a big vulnerability as people can sniff for asterisk / trixbox servers and then attempt to register an extension.

The use of an extension to make calls may be the extent of the "hacking" - unless new extensions etc were created. Did the relevant one exist before ?

The messages below were fairly big clues, with passwords at default anyone that could get access to the web interface could change stuff :-

"also on the home page of freepbx it says  "Warning: You are running freePBX and asterisk with the default manager pass. You should consider changing this to something else. (Help)

Warning: You are running freePBX and mysql with the default password (Help)"
Is there an update on this?
DHTSAuthor Commented:
Hi all, thanks for all your advise and comments. we have deleted the vm and going to rebuild an new system, ive wrote my report and directors not happy! freepbx the best flavour/web gui?

Ive shared points between you all.

Thanks again.

You indicated that someone else installed the Trixbox for you. If someone needs to be thrown under the bus it would be the person who installed it for:

1. Not changing the default user / pass for you
2. Not educating you why it needs to be done.
3. Not nagging you to do it.

It's just plain negligence on their part.

Trixbox is fine (not my favorite flavor of Asterisk, but that's personal opinion). You just need to make sure you harden the box. THe most basic steps of which I cover in an article on our company blog:

"Hackers Guide to Being Hacked: How “Bad Guys” Take Control, and How to Take it Back."
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.