How Not to Configure Asterisk
This must be blogged - all I can say is “Holy Shit!”
An Asterisk box I had set up for a client with ~ 10 extensions was compromised this morning at about 12 AM… and they really did a number on it. I apologize if you were a victim of this attack however there was really no way of telling it was happening until it was too late.
Over 2000 “phishing” calls were placed over the past 20 hours, majority of them during extremely late hours and to only a small group of numbers - meaning a lot of repeat calls… My inbox quickly filled with pissed off voicemails from Texas residents - once the server was taken down.
Now a DDOS attack is bad, but can generally be fixed - A web site’s content being compromised is worse - but when hundreds of people are being called late a night asking for their VISA card numbers : That’s a tragedy!
I have taken down the server and have a feeling it was compromised via the Flash Operator Panel which no one ever uses, but the last logs were not cleared and the bash history looked like mine - so it must have been some type of web based attack. I am downloading the VM to test locally so I can figure out exactly what happened and why, so it will never happen again.
A word of warning to people hosting any type of streaming application / telephony service - LOCK DOWN your shit to the max! A website is visited by choice - a phone call while you are asleep is intrusion, BE CAREFUL!
On a positive note - VoipYourLife is a super wicked VoIP provider for home / business - they had no problem shelling out 2000 calls in < 20 hours - I strongly recommend them!
Yeah. I have heard of these kinds of disasters happening before. Good to see that you got everything working the way it should in the end. Hopefully you don’t have anyone with pitchforkes and torches at your door tomorrow.
This happened to me too, any more info on this? Were you able to trace it and fix it? Thanks.
Wow, I?m surprised we didn?t catch this before you did! The folks at FreePBX, Fonality and others make it nice and easy for about anyone to install a pretty powerful IP PBX. Unfortunately, they also load default admin level usernames and passwords with very little warnings about changing them.
I won?t explain how its done but its pretty easy to locate the IPPBX systems on the web. Once they are found a quick check of the default username and password often gives the would-be hacker wide open access to your system as well as your login information for your SIP provider(s).
Dennis Smith
http://www.voipyourlife.com
Thanks for the comment Darren, your company offers great service BTW.
I have the vm under quarantine and will be investigating the cause within the week.
The simplest fixes are :
1. Do NOT ever put your IP PBX in DMZ.
2. Do not forget to change passwords for :
- Flash Operator Panel <- biggie, I never use it but it was wide open.
- root (duhh!)
- Un-embedded FreePBX
- Any combined (useless) CRM app
3. 1234 is not a good sip account passwd, get a little more creative please.
4. Keep your production boxes fully updated in the STABLE branch, bleeding edge apps are cool but could potentially cause a lot of unneeded stress.