Home » Forums » Community Edition » Open Discussion

Severe security warning - Extensions with matching secret

kerryg
Posts: 6790
 Member Since:
2006-05-31
Submitted by kerryg on Mon, 10/06/2008 - 11:24am.

There are some new scripts out in the wild that are attacking Asterisk-based systems. These scripts attempt to authenticate to your SIP extensions. If you have configured your extensions with the secret being the same as the extension number and you have SIP or IAX2 exposed to the internet, then your system is vulnerable.

What happens is that the scripts connect and find extensions that they can log in as, then calls start getting made through your system. This can seriously rack up your phone charges.

Although we have not seen this with IAX2 extensions, its just a matter of time before the hackers start going after that as well.

It is mandatory that everyone go through their extensions immediately and make sure you change your secrets from being the same as the extensions to preferably some strong password.

‹ My network was attacked Dell SC440 ›
--

Kerry Garrison
http://www.VoipStore.com - http://3cxbook.com
(888) VOIPSTORE - (888) 864-7786


&nbsp

UncleWard
Posts: 358
 Member Since:
2006-05-31
Sample Script
Sun, 10/12/2008 - 5:35pm

Here is a Fail2Ban script and setup which we implemented for PBX in a Flash users in response to Kerry's post. Hopefully, it will assist someone here in creating something similar for the trixbox community...

http://pbxinaflash.com/forum/showthread.php?t=2379&page=3


&nbsp

lowbug
Posts: 27
 Member Since:
2008-08-16
Hi, Stupid question, on a
Wed, 10/29/2008 - 11:30am

Hi,

Stupid question, on a trixbox is this the VM password or the web one or the extension and how do i change the extension one? :)


&nbsp

kerryg
Posts: 6790
 Member Since:
2006-05-31
Its the "secret" associated
Wed, 10/29/2008 - 12:32pm

Its the "secret" associated with the extension.

--

Kerry Garrison
http://www.VoipStore.com - http://3cxbook.com
(888) VOIPSTORE - (888) 864-7786


&nbsp

UncleWard
Posts: 358
 Member Since:
2006-05-31
Security Tips for Asterisk Systems
Tue, 01/27/2009 - 4:36am

See today's Nerd Vittles article for some additional security tips in hardening your Asterisk system.


&nbsp

Bruce
Posts: 134
 Member Since:
2006-06-12
Hi guys, Anything on the
Mon, 02/22/2010 - 8:57pm

Hi guys,

Anything on the dialplan injection vulnerability recently posted by Digium? Maybe a good tutorial posted here will help everyone to that as well.

http://seclists.org/fulldisclosure/2010/Feb/349

-Bruce


&nbsp

quickphone
Posts: 79
 Member Since:
2006-08-05
info
Wed, 04/14/2010 - 4:54am

Hi

Today i was victim of this and they took me about 40 euro since i use in local lan i have disable ports for outside network and i like to know can attack me again even they dont see server ?


&nbsp

SkykingOH
Posts: 9541
 Member Since:
2007-12-17
Quote: i like to know can
Wed, 04/14/2010 - 7:01am
Quote:
i like to know can attack me again even they dont see server ?

They can't. You must have something opened up.

--

Scott

aka "Skyking"


&nbsp

quickphone
Posts: 79
 Member Since:
2006-08-05
i have closed all ports and
Wed, 04/14/2010 - 7:21am

i have closed all ports and install fail2ban and change public ip address with my provider i think i will be safe or will see :)


&nbsp

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.