[Spce-user] server hacked

Matthew Ogden matthew at tenacit.net
Sat Apr 27 06:37:57 EDT 2013 

The attack came from a A class that we allow, but actually isn’t in our
area. (the block is not continuous).



SSH was being hammered as well from a different IP, but it never
authenticated, it stopped at Apr 26 19:25:18 spce sshd[31518]: Failed
password for root from then.

I don’t understand why the IDs of the transactions are so much shorter with
no @.

I also don’t understand, if they had compromised the system and knew the
authentication details, why  would they first try use the wrong username?
 (Almost instantly followed by the right username). There was a previous
attempy before that did authenticate:

Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request
- M=REGISTER R=sip:sip.tenacit.net F=sip:WS001A002 at sip.tenacit.net T=
sip:WS001A002 at sip.tenacit.net IP=198.38.93.188:10052 (127.0.0.1:5060)
ID=cd730f13b37e5f53

Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>:
Authentication failed, no credentials - R=sip:sip.tenacit.netID=cd730f13b37e5f53

Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: New request
- M=REGISTER R=sip:sip.tenacit.net F=sip:WS001A002 at sip.tenacit.net T=
sip:WS001A002 at sip.tenacit.net IP=198.38.93.188:10052 (127.0.0.1:5060)
ID=cd730f13b37e5f53

Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load prefs
for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' -
R=sip:sip.tenacit.netID=cd730f13b37e5f53

Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: IP
authorization not provisioned, allow registration -
R=sip:sip.tenacit.netID=cd730f13b37e5f53

Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load caller
preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
of uri 'sip:WS001A002 at sip.tenacit.net' -
R=sip:sip.tenacit.netID=cd730f13b37e5f53

Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Contacts
successfully saved - R=sip:sip.tenacit.net ID=cd730f13b37e5f53

2 minutes before, the client device fails to get to the registration part
with credentials. Those credentials are still in the device (we manage it).


I seriously do not understand how this has taken place. But it appears the
2 minutes before where the client device is failing to register was part of
the attack. Is there any sort of spoofing that can be used make the
authentication details process packets land up somewhere else?

Would like to get to the bottom of how they got the password on their first
attempt, so any advice is greatly appreciated.







*From:* Pedro Guillem [mailto:pedro.guillem at gmail.com]
*Sent:* 27 April 2013 12:05 AM
*To:* Matthew Ogden
*Cc:* spce-user
*Subject:* Re: [Spce-user] server hacked



Creepy!



You can allways block the IP with iptables.. but that obviously will not
solve the problem.



I´m very new at this, but:



1) have you tried limiting the IP addresses of your suscribers? Are they
dynamic?

2) Did you look at other logs? /var/log/auth.conf /var/log/messages to seek
for other vectors of attack?

3) Have you tried using mysql injection on the ngcp web sites?, i´m sure
the sipwise folks did not miss something as essential as this, but it´s
worth a try.

4) are your sip passwords strong enought?



I would take it from there.



Regards

Pedro



On Fri, Apr 26, 2013 at 4:55 PM, Matthew Ogden <matthew at tenacit.net> wrote:

Hi



My server has been hacked…. I’m not sure how.



There were no IPs/Users in Security bans.



Here is the proxy log, I’ve replaced my domain <mydomain>  and the real
client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.





root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log

Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs
for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
authorization not provisioned, allow registration - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller
preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts
successfully saved - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain>
ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f

Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=df4767364b3ca13b

Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs
for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
authorization not provisioned, allow registration - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller
preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts
successfully saved - R=sip:<my domain> ID=df4767364b3ca13b



Sincerely




_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
http://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130427/f201ec15/attachment-0001.html>

More information about the Spce-user mailing list