Solved

Trixbox Hacked

Posted on 2010-08-15
11
2,196 Views
Last Modified: 2013-11-12
Hi

We have a Trixbox and its just been hacked, we have the trixbox on VMWare running on our server, the trixbox was on its own public IP but on same network as the server, i.e. 192.168.0.1 server and 192.168.0.100 trixbox. The hacker has it seems created an new extenstion (200) and been connecting to this extension and making international calls. The trixbox was locked down to only allow traffic on UDP (all ports).

Can anyone help and assist in:

A. How do I check my config to see if there are open/security wholes
B. Can I run a report and get IP addresses of the user who connected in?
C. Is it safe to have the trixbox on the same server
D. Can i find out how the user got connected?

Thanks

0
Comment
Question by:DHTS
  • 5
  • 4
  • 2
11 Comments
 
LVL 11

Expert Comment

by:yarwell
Comment Utility
if an extension is connected its IP shows up in the GUI for Trixbox, surely. I can't recall exactly what and where but I do remember being able to see the active SIP and IAX sessions and their endpoint addresses.

Have you changed the passwords from the defaults ?

You may find http://www.packtpub.com/article/securing-your-trixbox-server helpful.

If the Trixbox IP is separate then there's little direct risk to the VM host.
0
 
LVL 1

Author Comment

by:DHTS
Comment Utility
Hi, thanks. The trixbox is offline at the moment so I need to get history of ip that was used to connect into the system an make these calls last week.

If someone hacked the system via the public ip of the actual server, wouldn't it be easy to access the trixbox vmmachine as it's in the same subnet? We had the system setup by someone and don't know if it's been done correctly.

I think it must have happened via voicemail so I've been told. I need to write up what's happend so need to find out all the info of the hack as much as possible.

Thanks again

0
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
There was a vulnerbability in the voicemail application at one point that compromised boxes. it was usually the fault of having insecure passwords.

My suggestion is to:

1. Upgrade to the newest version of Trixbox if you have not done so already
2. check the logs. /var/log/asterisk/ should contain the logs of sip authentication attempts against your system. It should be reletively obvious when you find the offending IP address because it will have been a brute force attack over and over from the same IP or same subnet.
3. If Trixbox support it (I believe it runs CentOS or a version thereof) you need to firewall / filter all SIP connection except those from known sources if possible. If possible, I recommend ufw (uncomplicated firewall); however, that may only be an Ubuntu application.  The point is... deny from unknown IPs.
4. Make sure you have ridiculously strong passwords for your SIP accounts. 16 characters, uppercase, lowercase, and symbols.

The next possible issue is that you had weak passwords in the amp portal or the GUI itself. If they created a new extension that is actually showing up in the portal itself, then they cracked your password from your webgui. Anything less than 10 characters is fairly easily crackable especially with dictionary ciphers, so if you used words in your password and had it on a public IP... it was only a matter of time. Again, if you only allow HTTP / HTTPS traffic from a known good subnet, this becomes a moot point because you could use Banana as you password and it wouldn't matter from the outside because the packets would be dropped before authentication would even have the opportunity to take place. (PS... don't use banana as your password. Period.)

Bottom line... you need to check your logs to see what probably took place.

See / post  logs from:

/var/log/httpd
/var/log/asterisk/
/var/log/secure/
0
 
LVL 1

Author Comment

by:DHTS
Comment Utility
thanks, i dont have much knowledge of linux cli, the server have a webadmin console (freepbx) i can access, im trying to get the logf files from the var directory, is there an easy way via a browser or this freepbx (is freepbx trixbox??).

also on the home page of freepbx it says  "Warning: You are running freePBX and asterisk with the default manager pass. You should consider changing this to something else. (Help)

Warning: You are running freePBX and mysql with the default password (Help)

to login into the CLI (CentOS...is this trixbox :), the root and maint passwords are changed and are not system default.

sorry to be a pain, but I have to report to the directors why the system allowed someone to ring up over £1000 of international calls, I would have thought the telco provider would have blocked them sooner!

can I retrieve the user/voicemail passwords for the CLI so i can see what they are?

Version of trixbox/freepbx/centos is:

CentOS release 4.4 (Final)
Kernel 2.6.9-34.0.2EL on an i686


Thank you.
0
 
LVL 1

Author Comment

by:DHTS
Comment Utility
ive just gone through the freebx web interface, and under all the extensions, there is a box that says...this device uses sip technology and the box under neath thats labeled "secret" has the extension number in. is this the sip password!! if so do you think this is how they got access.

also is it possible to find out ehen and who created my extension 100 (the extension that was used to make all the internation calls). would you say that someone got in via the web console and created and extension and connected to it. how could this happen if only UDP (all ports) were open to the trixbox public IP?

could they have got in via the server LAN card (HTTP) and got access to the VMWare card of the trixbox as they were in the same subnet, i.e 192.168.0.1 and 192.168.0.100?

thanks

Dan
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:DHTS
Comment Utility
found the log files, theres hundreds. below are some extracts. highest day was 21/June

Note extension 100 isnt a used extension, it just says test. in none of the log files it shows IP address of the call made only the extension i.e. SIP/100-09d71b10. The secure logs are empty or zero bytes.

Master.csv
----------
845xxxxxxx      672372752      from-internal      845xxxxxxx      SIP/100-09d71b10      SIP/outbound-09d91420      Playback      pls-try-call-later|noanswer      21/06/2010 23:45            21/06/2010 23:45      3      0      FAILED      DOCUMENTATION
845xxxxxxx      672372751      from-internal      845xxxxxxx      SIP/100-09d71b10      SIP/outbound-09d91420      Playback      pls-try-call-later|noanswer      21/06/2010 23:47            21/06/2010 23:47      3      0      FAILED      DOCUMENTATION

845xxxxxxx      672372751      from-internal      845xxxxxxx      SIP/100-09d5eb58      SIP/outbound-09d76d20      ResetCDR      w      21/06/2010 23:27      21/06/2010 23:28      21/06/2010 23:48      1210      1201      ANSWERED      DOCUMENTATION
845xxxxxxx      672372751      from-internal      845xxxxxxx      SIP/100-09d6c150      SIP/outbound-09d840a0      ResetCDR      w      21/06/2010 23:28      21/06/2010 23:28      21/06/2010 23:48      1214      1201      ANSWERED      DOCUMENTATION



Access_log (httpd)
-------------
92.240.68.152 - - [20/Jun/2010:16:11:37 +0100] "GET http://www.math.uga.edu/~johoff/toad.jpg HTTP/1.1" 404 296 "http://random.yahoo.com/fast/ryl" "webcollage/1.135a"
91.212.127.100 - - [21/Jun/2010:01:06:19 +0100] "GET http://allrequestsallowed.com/?PHPSESSID=5gh6ncjh00043YSMWRT_FFL%5CQF HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
61.161.142.62 - - [21/Jun/2010:10:29:03 +0100] "GET http://www.sina.com.cn/ HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
192.168.1.104 - - [21/Jun/2010:17:05:11 +0100] "GET /xmlservices/PhoneDirectory.php?locale=English_United_States&name=SEP001E4A0BACA9 HTTP/1.1" 200 500 "-" "Allegro-Software-WebClient/4.34"
190.152.88.114 - - [22/Jun/2010:16:10:17 +0100] "GET HTTP/1.1 HTTP/1.1" 400 305 "-" "Toata dragostea mea pentru diavola"
190.152.88.114 - - [22/Jun/2010:16:10:17 +0100] "GET /e107_files/e107.css HTTP/1.1" 404 296 "-" "Toata dragostea mea pentru diavola"


Error_log (httpd)
------------------
[Sun      Jun      27      04:02:07      2010]      [notice] Digest: generating secret for digest authentication ...
[Sun      Jun      27      04:02:07      2010]      [notice] Digest: done
[Sun      Jun      27      04:02:08      2010]      [notice] Apache/2.0.52 (CentOS) configured -- resuming normal operations
[Sun      Jun      27      07:39:47      2010]      [error] [client 92.242.4.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun      Jun      27      08:11:23      2010]      [error] [client 209.237.226.14] File does not exist: /var/www/html/mysql


The trixbox is offline and is going to be rebuilt, so if any personal information in the logs will be redundant and changed.

Sorry about the multiple posts.

Thanks

Dan
0
 
LVL 32

Accepted Solution

by:
DrDamnit earned 250 total points
Comment Utility
If you don't have Linux knowledge, then the only thing you can do is reinstall the box.

Since you did not change the default user /pass, that means the hackers have not only gained access, but elevated privileges, and you no doubt have a root kit or a backdoor on the system because I guarantee they are maintaining access. Moreover, they now have access to your entire network via SSH tunnels. It is possible your ENTIRE network has been compromised.

Your only choice is the wipe the hard drive (or VM in this case) and completely re-install Trixbox on a clean setup.

I hate to be the bearer of this bad news, because it sucks, but without the skill set to fix the issue, a re-install is the only way to go. It's also faster.

Oh... and don't bother backing up your configs to restore them later, that will leave you open to attack again. You will need to actually re-setup the box. (of course you could try it if  you want to risk another 1,000 pounds in long distance).

After you re-setup the box, I would highly advise that you harden the box. There is nothing wrong with having your Trixbox on a public IP, but leaving the DEFAULT password set is like having a pile of gold in your house, then removing all the doors and putting signs up in your front yard that says "Please don't take my free gold that is in my house. I don't own a gun and I am not home. I am trusting all of you out there to leave my gold alone. It's shiney and pretty and mine. Please no touchy..... and oh.... if you do take my gold, I won't be able to punish you, but instead I will have to tear my house down and rebuild it from scratch."

As far as the other machines on the network, if they have weak passwords, you are now the proud owner of an entire network audit.
0
 
LVL 11

Assisted Solution

by:yarwell
yarwell earned 250 total points
Comment Utility
the "secret" on an extension is the password used to allow a SIP session to be established with that extension as the ID. The practice of putting the extension number in as the password is a big vulnerability as people can sniff for asterisk / trixbox servers and then attempt to register an extension.

The use of an extension to make calls may be the extent of the "hacking" - unless new extensions etc were created. Did the relevant one exist before ?

The messages below were fairly big clues, with passwords at default anyone that could get access to the web interface could change stuff :-

"also on the home page of freepbx it says  "Warning: You are running freePBX and asterisk with the default manager pass. You should consider changing this to something else. (Help)

Warning: You are running freePBX and mysql with the default password (Help)"
0
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
Is there an update on this?
0
 
LVL 1

Author Comment

by:DHTS
Comment Utility
Hi all, thanks for all your advise and comments. we have deleted the vm and going to rebuild an new system, ive wrote my report and directors not happy!...is freepbx the best flavour/web gui?

Ive shared points between you all.

Thanks again.
0
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
@DHTS:

You indicated that someone else installed the Trixbox for you. If someone needs to be thrown under the bus it would be the person who installed it for:

1. Not changing the default user / pass for you
2. Not educating you why it needs to be done.
3. Not nagging you to do it.

It's just plain negligence on their part.

Trixbox is fine (not my favorite flavor of Asterisk, but that's personal opinion). You just need to make sure you harden the box. THe most basic steps of which I cover in an article on our company blog:

"Hackers Guide to Being Hacked: How “Bad Guys” Take Control, and How to Take it Back."

http://totalticketsystem.com/blog/technical-articles/hackers-guide-to-being-hacked-how-bad-guys-take-control-and-how-to-take-it-back/
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
UC540 Upgrade 2 42
SLA examples 1 27
Registering SPA122 with a Digium System 1 134
Avaya 9608 Handset with LLDP on Cisco 3750 Switch 2 67
Every year the snow affects people and businesses. According to the Federation of Small Businesses (FSB), in 2009, UK businesses lost an estimated £1.2bn (http://news.bbc.co.uk/1/hi/business/7864804.stm) because of bad weather. This article was c…
Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now