Close
SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community

TMC NEWS

TMCNET eNEWSLETTER SIGNUP

Asterisk Hack Post-mortem
[January 11, 2012]

Asterisk Hack Post-mortem

Chief Technology Officer and Executive Editor
 
Originally posted on VoIP & Gadgets Blog, here: http://blog.tmcnet.com/blog/tom-keating/asterisk/asterisk-hack-post-mortem.asp.

masked-hacker-with-hat.jpg
Having your production Asterisk (News - Alert)-based phone system hacked is no fun, as I have learned from first-hand experience over the past few days. Even the best of IT administrators taking ever security precaution in the book dreads the day their critical server gets hacked. You hope you've done everything possible to stop your servers from being hacked, but you are never 100% sure. There is always some hacker smarter than you, but more importantly, smarter than the best security practices you put in place. Hackers always seem to find a new hole to exploit.

Since I spent the last couple days poring through the Linux system logs and the Asterisk logs, I thought I'd do a detailed post-mortem for the benefit of other Asterisk users. Let us begin...

The first sign of trouble was a few months ago when our international calling was blocked by our service provider for suspicious international calls to Middle East countries. I investigated the Asterisk-based server for any SIP credentials that were easily attacked. There was only a couple of SIP credentials (test softphone accounts) with slightly easily guessed SIP credentials, however it didn't appear these accounts were using in the hacks since the CDR records didn't show these fraudulent calls as coming from these accounts.  I changed the SIP passwords anyway just to be safe. To be double sure, I had technical support login to the box and make sure everything was secure. They did see some calls being made from the Asterisk CLI and technical support suggested I change the 'root' password, which I did even though it was a long password. They didn't see anything else out of the ordinary, but they obviously missed something since a month later we were hit again...

I was notified that our phone service provider had put a temporary block on international calling. I checked a system file and saw this scary command run on Saturday:

Jan  7 15:05:31 asterisk userhelper[305]: running '/sbin/reboot -f' with root privileges on behalf of 'root'

Bastard hacker rebooted my Asterisk server! Well, at least he was considerate enough to do it on a weekend when the office is closed. Next, I pored through the CDR records on Monday (1/9/12) and indeed I confirmed fraudulent calls being made on a Saturday (1/7/12) when the office was closed.

Here's a sampling:

'','','9011901140720740717','international','','OSS/dsp','Zap/25-1','Busy','','2011-12-07 04:29:13',,'2011-12-07 04:29:20',7,0,'NO ANSWER','DOCUMENTATION'

'','','s','incoming','','Zap/2-1','','Dial','Zap/g1/01138765063921','2012-01-07 15:00:52',,'2012-01-07 15:00:52',0,0,'FAILED','DOCUMENTATION'

'','','900212641869513','international','','OSS/dsp','SIP/skypetrunk-0945e380','Dial','SIP/skypetrunk/00212641869513','2012-01-07 03:08:05','2012-01-07 03:08:16','2012-01-07 03:08:30',25,14,'ANSWERED','DOCUMENTATION'

'','','900212641869534','international','','OSS/dsp','SIP/skypetrunk-08926d10','Dial','SIP/skypetrunk/00212641869534','2012-01-07 03:11:53','2012-01-07 03:12:02','2012-01-07 03:12:31',38,29,'ANSWERED','DOCUMENTATION'

'','','','incoming','','SIP/skypetrunk-08629a78','','Wait','360000','2012-01-07 03:32:39',,'2012-01-07 03:42:39',600,0,'ANSWERED','DOCUMENTATION'

'','','900212641869534','international','','OSS/dsp','SIP/skypetrunk-0874dc90','Dial','SIP/skypetrunk/00212641869534','2012-01-07 03:51:10','2012-01-07 03:51:19','2012-01-07 03:52:06',56,47,'ANSWERED','DOCUMENTATION'

I bolded a couple of the CDRs above. You'll notice the hacker hit both our PRI truk (Zap/g1) and our Skype SIP trunk. Well, at least he's an equal opportunity hacker attacking all our trunks! Hack our traditional PRI, ok, I can accept that, but attacking my beloved Skype (News - Alert)? Unacceptable! shame-on-you


It was pretty simple to discover which calls were fraudulent. I simply ran this command below which searches for 'OSS/dsp' in the CDR folder. This will display any Asterisk CLI (command line) commands being executed. Other than voicemail access you shouldn't see anything. If you do, you've likely been hacked:

Continue reading Asterisk Hack Post-mortem...


Tags: , , , , , , , , , , , Related tags: , , , , ,

Related Entries
  • Microsoft Lync 2010, Asterisk & Skype Integration Tutorial - Dec 28, 2011
    lync-asterisk-skype.jpg
  • AstriCon VoIP Security - $400,000 toll fraud - YIKES! - Oct 26, 2011
    astricon-2011-logo.jpg
  • Top 20 VoIP Innovators of All Time - Jun 13, 2011
    voip.jpg
  • Skype for Asterisk Killed - The Lowdown - May 25, 2011
    skype-for-asterisk-killed.jpg
  • Oxford Hair Academy Selects Freetalk Connect - Mar 16, 2011
    mansion-oxford-hair-academy-cafe.jpg
  • FREETALK Connect Review - Dec 15, 2010
    freetalk-messages.jpg
  • Cracking IP-PBX SIP Passwords - Be Afraid! - Jun 28, 2010
    chris-lyman.jpg
  • ShoreTel Lands 1st 'Skype for SIP' interoperability - Sep 09, 2009
  • Finally! New Windows Mobile App AudioRoute Enables Earpiece for VoIP Apps - Mar 26, 2009
    audioroute-windows-mobile-12020.jpg
  • Build your own SIP-to-Skype gateway using Asterisk - Feb 17, 2009
    TrackBacks | Comments | Tag with del.icio.us | VoIP & Gadgets Blog Home | Permalink: Asterisk Hack Post-mortem

     



  • [ Back To TMCnet.com's Homepage ]





    LATEST VIDEOS

    DOWNLOAD CENTER

    UPCOMING WEBINARS

    MOST POPULAR STORIES





    Technology Marketing Corporation

    800 Connecticut Ave, 1st Floor East, Norwalk, CT 06854 USA
    Ph: 800-243-6002, 203-852-6800
    Fx: 203-866-3326

    General comments: tmc@tmcnet.com.
    Comments about this site: webmaster@tmcnet.com.

    STAY CURRENT YOUR WAY

    © 2014 Technology Marketing Corporation. All rights reserved.