My Trixbox seems to be hacked..

vk2012

Posts: 1
Member Since:
2012-02-07

Submitted by vk2012 on Tue, 02/07/2012 - 1:50pm.

Hello,

I got a call from someone that they have received a voice message from our number reporting an problem with credit card..or credit card termination. I checked the call log and I am seeing some calls made by a remote extension.

2/2/12 17:30 SIP/194.73.113.96-0000042a unknown "unknown" s ANSWERED 13
2/2/12 17:30 SIP/194.73.113.96-0000042b unknown "unknown" s ANSWERED 13
2/2/12 17:30 SIP/194.73.113.96-0000042c unknown "unknown" s ANSWERED 13
2/2/12 17:30 SIP/194.73.113.96-0000042d unknown "unknown" s ANSWERED 13
2/2/12 17:30 SIP/194.73.113.96-0000042e unknown "unknown" s ANSWERED 13
2/2/12 17:30 SIP/194.73.113.96-0000042f unknown "unknown" s ANSWERED 13
2/2/12 17:30 SIP/194.73.113.96-00000430 unknown "unknown" s ANSWERED 13

My trixbox is behind the firewall and web interface is also not expose to public. I use VPN to access the web interface.

I use comcast/SMC firewall and only 5060 port is open.

Does anyone knows what may be wrong.

JimmLee

Posts: 14
Member Since:
2011-12-20

Your preventive measures are good

Wed, 02/08/2012 - 9:46am

The preventive measures you specified are good and mostly keep hackers aways but sometimes a clever hacker can get them bypassed and enter the system. A group of VoIP engineers working at a US based voip service provider, Axvoice, were engaged in same kind of situation. Then after research a utility called fail2ban came to rescue. It's work method is simple, it inspects your log files and blocks the specific ip which is originating such registration request for the time period you specify. It has easy to understand and change regex style for filtering logs like shown below:

failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '' - Peer is not supposed to register
NOTICE.* failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' $from $
NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@.*

obeliks

Posts: 878
Member Since:
2010-03-14

The calls did not come from

Fri, 02/10/2012 - 2:10am

The calls did not come from a registered peer, so fail2ban would be useless.
More info at http://forums.asterisk.org/viewtopic.php?p=159984
The real question is why port 5060 is exposed to external traffic ?

frederic

Posts: 14
Member Since:
2009-04-04

If you're going to expose

Fri, 02/10/2012 - 8:07am

If you're going to expose 5060 to external traffic, you need to be selective about it rather than allowing "everyone".

You probably have something like this:

iptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT

What you want to do is add the specific IP addresses:

iptables -A INPUT -i eth0 -p udp -m udp --dport 5060 -s xxx.xxx.xxx.xxx -j ACCEPT

For each remote sip phone, you would add one of those lines with xxx.xxx.xxx.xxx being replaced with the static IP address of the remote user.

If they are getting a DHCP address from their ISP, you can google up the IP ranges associated with that ISP and open them as a range, expressing it as a subnet/mask (xxx.xxx.xxx.xxx/mm).

Of course doing so exposes your Trixbox to that entire ISP, which increases your exposure.

Another, and better option, is to force a company policy of requiring VPN hardware at each site, such as the D-Link DIR-330, whereas your remote users plug that into their firewall/router from their ISP, then connect into that. You'll need a VPN server on your side, but then your users can connect security and safely to the PRIVATE side of your LAN, access the Trixbox, and thusly, you do not have to publically expose your Trixbox ever again.

My Trixbox seems to be hacked..

Comment viewing options

Search

Main

User login

Who's online