colink Posted February 21, 2011 Report Share Posted February 21, 2011 Having an ongoing battle that i'm struggling to win. Have a customer running a SnomOne PBX and one extension (102) is getting hacked on a regular basis. Im at a loss on how to proceed with this one. Some info.. All passwords (PBX admin / Extention / Handsets) are 12 char randomly generated. All extension registrations are locked to MAC address and a single concurrent registration. Trunk has an outbound proxy setup. The users handset dosnt show any logs of having mad the calls. PBX is running the latest version 2011-4.2.0.3981 (Win32) I cant for the life of me work out how someone is logging onto the PBX uising the extention of 102. As its locked to MAC and 1 concurrent reg which is being used by the Snom handset on site. Where i can look to try and diagnose the issue further ? Cheers Colin. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted February 21, 2011 Report Share Posted February 21, 2011 So what do you mean by "hacked"? Someone making unauthorized phone calls from this extension? Ideas why: The real password leaked out. For example, if the attacket has access to the file system, all security is rendered useless. If the provisioning got hacked, you would see the generated files for the extension in the file system (the "generated" directory) You can see in the CDR the IP address where the call was initiated from. That might help you find the source of the problem. If neccessary, you can blacklist that address or the whole subnet. Quote Link to comment Share on other sites More sharing options...
colink Posted February 21, 2011 Author Report Share Posted February 21, 2011 So what do you mean by "hacked"? Someone making unauthorized phone calls from this extension? Ideas why: The real password leaked out. For example, if the attacket has access to the file system, all security is rendered useless. If the provisioning got hacked, you would see the generated files for the extension in the file system (the "generated" directory) You can see in the CDR the IP address where the call was initiated from. That might help you find the source of the problem. If neccessary, you can blacklist that address or the whole subnet. Yes as in someone is making calls from that extension. The real password leaked out I'm as confident as i can be that the passwords are secure. The OS is only assessable via VPN and has a fairly robust password of its own. I change the passwords each time the extension is hacked and it doesn't seem to make a vast difference. If the provisioning got hacked, you would see the generated files for the extension in the file system (the "generated" directory As i never set up the system i cant say with any certainty that a secure and complex password was used and/or that provisiong was used. I will set an appropriate password now. When i look in the generated folder i do see a folder named "40" The user of the extension 102 has a snom which end with the IP x.x.x.40 is this a match ? is there anything i can read within that folder that would indicate if its moody or not ? FYI the date for file creation in that folder are all very old 08/10/2010 If provisioning was hacked would that override the limit registration to MAC address of the handset ? Cheers Colin. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted February 21, 2011 Report Share Posted February 21, 2011 When i look in the generated folder i do see a folder named "40" The user of the extension 102 has a snom which end with the IP x.x.x.40 is this a match ? No. This would be in the folder "102". If provisioning was hacked would that override the limit registration to MAC address of the handset ? No. That can also not be the point. I would cd into the cdre directory, and search an antry which matches the extension e.g. 102@bla.com. Then you can see what IP address that was coming from, and potentially blacklist that. Quote Link to comment Share on other sites More sharing options...
colink Posted February 21, 2011 Author Report Share Posted February 21, 2011 Cheers for your help on this matter. im looking in the CDRE folder and have found an entry relating to one of the calls. I not sure how to read the file or interprate it correctly. in notepad the file reads TLVB c 1298257126.17 cid e80568532856314b ct d d 1 e 1298257218.252 f %"Linda 102" <sip:102@pbx.company.com> i e80568532856314b o I p udp:188.161.235.136:6960 r #<sip:0038733960085@pbx.company.com> s 1298257119.298 t #<sip:0038733960085@pbx.company.com> u 3 vq ÍVQSessionReport: CallTerm LocalMetrics: Timestamps:START=2011-02-21T02:58:46Z STOP=2011-02-21T03:00:18Z CallID:e80568532856314b FromID:<sip:102@91.151.14.189>;tag=8e11e100 ToID:<sip:0038733960085@91.151.14.189>;tag=131596bb83 SessionDesc:PT=8 PD=pcma SR=8000 FD=20 FO=160 FPP=1 PPS=50 PLC=3 LocalAddr:IP=192.168.10.3 PORT=57598 SSRC=0xfc0e0e8a RemoteAddr:IP=0.0.0.0 PORT=0 SSRC=0x x-UserAgent:snom-PBX/2011-4.2.0.3981 x-SIPterm:SDC=OK SDD=214 SDR=OR y extcall I suppose the suspect IP in there is 188.161.235.136 Which is from Palestinian I can black list this IP address. But this doesn't address the initial issue with how they where able to register the extension in the first instance. Quote Link to comment Share on other sites More sharing options...
colink Posted February 21, 2011 Author Report Share Posted February 21, 2011 Also... if the only phones connecting are on a local subnet, then what access rules would i use to block all other IPs ? 192.168.10.0 / 255.255.255.0 ALLOW 0.0.0.0 / 0.0.0.0 BLOCK ? Quote Link to comment Share on other sites More sharing options...
gotvoip Posted February 21, 2011 Report Share Posted February 21, 2011 1) the bind to mac address does not isolate that extension to that mac address. It is just used for PnP. The field above it IP address does do this so if extension 102 comes from a static IP address then you can enter it here and ONLY that IP address will be able to register. How they initially cracked the account is anyone's guess. If they were trying to guess the password very slowly then I don't think the access list would catch it if the number of unsuccessful attempts did not hit the threshold. Since it is happening only on one extension it sounds like they kept trying to guess that extension. So you don't have any remote phones on the system and they are all only local? Is their any PnP files in the generated directory for 102? I didn't see that answer. If they had the http password for extension 102 then they would be able to do Wan based PnP without the mac address being correct since they would be able to login. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted February 21, 2011 Report Share Posted February 21, 2011 Yes, seems like 188.161.235.136 comes from "Palestinian Territory". I would blacklist 188.161.235.0/255.255.255.0 to fix the problem at hand. Quote Link to comment Share on other sites More sharing options...
colink Posted February 21, 2011 Author Report Share Posted February 21, 2011 1) the bind to mac address does not isolate that extension to that mac address. It is just used for PnP. The field above it IP address does do this so if extension 102 comes from a static IP address then you can enter it here and ONLY that IP address will be able to register. How they initially cracked the account is anyone's guess. If they were trying to guess the password very slowly then I don't think the access list would catch it if the number of unsuccessful attempts did not hit the threshold. Since it is happening only on one extension it sounds like they kept trying to guess that extension. So you don't have any remote phones on the system and they are all only local? Is their any PnP files in the generated directory for 102? I didn't see that answer. If they had the http password for extension 102 then they would be able to do Wan based PnP without the mac address being correct since they would be able to login. Hi. they did no use the PNP as there was no folder 102 in the generated folder. All of the phones are internal and static IP so i will make that change now. I will also check HTTP access to make sure them password are complex enough. Cheers Colin. Quote Link to comment Share on other sites More sharing options...
polycom2080 Posted February 23, 2011 Report Share Posted February 23, 2011 Colin was wondering if you figured out what that hack was? Quote Link to comment Share on other sites More sharing options...
mattlandis Posted February 24, 2011 Report Share Posted February 24, 2011 Colin, Since your fighting an attack the article I wrote on SIP hacking might be of interest to you: http://windowspbx.blogspot.com/2010/10/someone-is-attempting-to-hack-into-your.html If anyone has anymore items to add to the list of Tips, I'd be glad to hear them. On a less serious note--the title "constant hacking" evokes edbassmaster character. "the hacker" ;-) Quote Link to comment Share on other sites More sharing options...
Tom Waterman Posted March 8, 2011 Report Share Posted March 8, 2011 Colin, Since your fighting an attack the article I wrote on SIP hacking might be of interest to you: http://windowspbx.blogspot.com/2010/10/someone-is-attempting-to-hack-into-your.html If anyone has anymore items to add to the list of Tips, I'd be glad to hear them. On a less serious note--the title "constant hacking" evokes edbassmaster character. "the hacker" ;-) Colin a few months ago we went through a period were we would have 300 or so blacklisted IP addresses a day. The easy way to avoid that it to ALLOW you internal subnet that the phone is on and if you have a SIP provider allow them as well. The blacklist everything else. Cheers, Tom Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.