Jump to content

Constant hacking


colink

Recommended Posts

Having an ongoing battle that i'm struggling to win.

Have a customer running a SnomOne PBX and one extension (102) is getting hacked on a regular basis.

Im at a loss on how to proceed with this one.

 

Some info..

 

All passwords (PBX admin / Extention / Handsets) are 12 char randomly generated.

All extension registrations are locked to MAC address and a single concurrent registration.

Trunk has an outbound proxy setup.

The users handset dosnt show any logs of having mad the calls.

 

PBX is running the latest version 2011-4.2.0.3981 (Win32)

 

I cant for the life of me work out how someone is logging onto the PBX uising the extention of 102.

As its locked to MAC and 1 concurrent reg which is being used by the Snom handset on site.

 

Where i can look to try and diagnose the issue further ?

 

Cheers

Colin.

Link to comment
Share on other sites

So what do you mean by "hacked"? Someone making unauthorized phone calls from this extension?

 

Ideas why:

 

  • The real password leaked out. For example, if the attacket has access to the file system, all security is rendered useless.
  • If the provisioning got hacked, you would see the generated files for the extension in the file system (the "generated" directory)
  • You can see in the CDR the IP address where the call was initiated from. That might help you find the source of the problem. If neccessary, you can blacklist that address or the whole subnet.

Link to comment
Share on other sites

So what do you mean by "hacked"? Someone making unauthorized phone calls from this extension?

 

Ideas why:

 

  • The real password leaked out. For example, if the attacket has access to the file system, all security is rendered useless.
  • If the provisioning got hacked, you would see the generated files for the extension in the file system (the "generated" directory)
  • You can see in the CDR the IP address where the call was initiated from. That might help you find the source of the problem. If neccessary, you can blacklist that address or the whole subnet.

 

 

Yes as in someone is making calls from that extension.

The real password leaked out

I'm as confident as i can be that the passwords are secure.

The OS is only assessable via VPN and has a fairly robust password of its own.

I change the passwords each time the extension is hacked and it doesn't seem to make a vast difference.

 

If the provisioning got hacked, you would see the generated files for the extension in the file system (the "generated" directory

As i never set up the system i cant say with any certainty that a secure and complex password was used and/or that provisiong was used. I will set an appropriate password now.

 

When i look in the generated folder i do see a folder named "40"

The user of the extension 102 has a snom which end with the IP x.x.x.40

is this a match ?

 

is there anything i can read within that folder that would indicate if its moody or not ?

FYI the date for file creation in that folder are all very old 08/10/2010

 

If provisioning was hacked would that override the limit registration to MAC address of the handset ?

 

Cheers

Colin.

Link to comment
Share on other sites

When i look in the generated folder i do see a folder named "40"

The user of the extension 102 has a snom which end with the IP x.x.x.40

is this a match ?

 

No. This would be in the folder "102".

 

If provisioning was hacked would that override the limit registration to MAC address of the handset ?

 

No. That can also not be the point.

 

I would cd into the cdre directory, and search an antry which matches the extension e.g. 102@bla.com. Then you can see what IP address that was coming from, and potentially blacklist that.

Link to comment
Share on other sites

Cheers for your help on this matter.

 

im looking in the CDRE folder and have found an entry relating to one of the calls.

I not sure how to read the file or interprate it correctly.

 

in notepad the file reads

 

TLVB c

1298257126.17 cid e80568532856314b ct d d 1 e 1298257218.252 f %"Linda 102" <sip:102@pbx.company.com> i e80568532856314b o I p udp:188.161.235.136:6960 r #<sip:0038733960085@pbx.company.com> s 1298257119.298 t #<sip:0038733960085@pbx.company.com> u 3 vq ÍVQSessionReport: CallTerm

LocalMetrics:

Timestamps:START=2011-02-21T02:58:46Z STOP=2011-02-21T03:00:18Z

CallID:e80568532856314b

FromID:<sip:102@91.151.14.189>;tag=8e11e100

ToID:<sip:0038733960085@91.151.14.189>;tag=131596bb83

SessionDesc:PT=8 PD=pcma SR=8000 FD=20 FO=160 FPP=1 PPS=50 PLC=3

LocalAddr:IP=192.168.10.3 PORT=57598 SSRC=0xfc0e0e8a

RemoteAddr:IP=0.0.0.0 PORT=0 SSRC=0x

x-UserAgent:snom-PBX/2011-4.2.0.3981

x-SIPterm:SDC=OK SDD=214 SDR=OR

y extcall

 

I suppose the suspect IP in there is 188.161.235.136

Which is from Palestinian

 

I can black list this IP address.

But this doesn't address the initial issue with how they where able to register the extension in the first instance.

Link to comment
Share on other sites

1) the bind to mac address does not isolate that extension to that mac address. It is just used for PnP. The field above it IP address does do this so if extension 102 comes from a static IP address then you can enter it here and ONLY that IP address will be able to register. How they initially cracked the account is anyone's guess. If they were trying to guess the password very slowly then I don't think the access list would catch it if the number of unsuccessful attempts did not hit the threshold. Since it is happening only on one extension it sounds like they kept trying to guess that extension. So you don't have any remote phones on the system and they are all only local? Is their any PnP files in the generated directory for 102? I didn't see that answer. If they had the http password for extension 102 then they would be able to do Wan based PnP without the mac address being correct since they would be able to login.

Link to comment
Share on other sites

1) the bind to mac address does not isolate that extension to that mac address. It is just used for PnP. The field above it IP address does do this so if extension 102 comes from a static IP address then you can enter it here and ONLY that IP address will be able to register. How they initially cracked the account is anyone's guess. If they were trying to guess the password very slowly then I don't think the access list would catch it if the number of unsuccessful attempts did not hit the threshold. Since it is happening only on one extension it sounds like they kept trying to guess that extension. So you don't have any remote phones on the system and they are all only local? Is their any PnP files in the generated directory for 102? I didn't see that answer. If they had the http password for extension 102 then they would be able to do Wan based PnP without the mac address being correct since they would be able to login.

 

Hi.

 

they did no use the PNP as there was no folder 102 in the generated folder.

All of the phones are internal and static IP so i will make that change now.

 

I will also check HTTP access to make sure them password are complex enough.

 

Cheers

Colin.

Link to comment
Share on other sites

Colin,

 

Since your fighting an attack the article I wrote on SIP hacking might be of interest to you:

http://windowspbx.blogspot.com/2010/10/someone-is-attempting-to-hack-into-your.html

If anyone has anymore items to add to the list of Tips, I'd be glad to hear them.

 

On a less serious note--the title "constant hacking" evokes edbassmaster character. "the hacker" ;-)

Link to comment
Share on other sites

  • 2 weeks later...

Colin,

 

Since your fighting an attack the article I wrote on SIP hacking might be of interest to you:

http://windowspbx.blogspot.com/2010/10/someone-is-attempting-to-hack-into-your.html

If anyone has anymore items to add to the list of Tips, I'd be glad to hear them.

 

On a less serious note--the title "constant hacking" evokes edbassmaster character. "the hacker" ;-)

 

Colin a few months ago we went through a period were we would have 300 or so blacklisted IP addresses a day. The easy way to avoid that it to ALLOW you internal subnet that the phone is on and if you have a SIP provider allow them as well. The blacklist everything else.

 

Cheers,

Tom

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...