[Spce-user] server hacked

Skyler skchopperguy at gmail.com
Sat Apr 27 14:45:12 EDT 2013 

Only way I could see anyone 'getting' the password on a first/second 
attempt is if they actually gained access to the ATA and copied the 
password from there.

Or, if you have http provisioning, maybe from there. I'd grep the mac 
and look for other IPs than the clients or yours which 200'd the cfg file.

  The first failed auth was probably a bad copy/paste.

For SSH, you should change the port and use denyhosts. From there you 
can copy the IPs into spce blocking if you wish as well.

Skyler

On 4/27/2013 3:37 AM, Matthew Ogden wrote:
> The attack came from a A class that we allow, but actually isn’t in our
> area. (the block is not continuous).
>
> SSH was being hammered as well from a different IP, but it never
> authenticated, it stopped at Apr 26 19:25:18 spce sshd[31518]: Failed
> password for root from then.
>
> I don’t understand why the IDs of the transactions are so much shorter
> with no @.
>
> I also don’t understand, if they had compromised the system and knew the
> authentication details, why  would they first try use the wrong
> username?  (Almost instantly followed by the right username). There was
> a previous attempy before that did authenticate:
>
> Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>: New
> request - M=REGISTER R=sip:sip.tenacit.net <http://sip.tenacit.net>
> F=sip:WS001A002 at sip.tenacit.net <mailto:sip%3AWS001A002 at sip.tenacit.net>
> T=sip:WS001A002 at sip.tenacit.net <mailto:sip%3AWS001A002 at sip.tenacit.net>
> IP=198.38.93.188:10052 <http://198.38.93.188:10052> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=cd730f13b37e5f53
>
> Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>:
> Authentication failed, no credentials - R=sip:sip.tenacit.net
> <http://sip.tenacit.net> ID=cd730f13b37e5f53
>
> Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: New
> request - M=REGISTER R=sip:sip.tenacit.net <http://sip.tenacit.net>
> F=sip:WS001A002 at sip.tenacit.net <mailto:sip%3AWS001A002 at sip.tenacit.net>
> T=sip:WS001A002 at sip.tenacit.net <mailto:sip%3AWS001A002 at sip.tenacit.net>
> IP=198.38.93.188:10052 <http://198.38.93.188:10052> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=cd730f13b37e5f53
>
> Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load
> prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' -
> R=sip:sip.tenacit.net <http://sip.tenacit.net> ID=cd730f13b37e5f53
>
> Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: IP
> authorization not provisioned, allow registration -
> R=sip:sip.tenacit.net <http://sip.tenacit.net> ID=cd730f13b37e5f53
>
> Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load
> caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> domain part of uri 'sip:WS001A002 at sip.tenacit.net
> <mailto:sip%3AWS001A002 at sip.tenacit.net>' - R=sip:sip.tenacit.net
> <http://sip.tenacit.net> ID=cd730f13b37e5f53
>
> Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Contacts
> successfully saved - R=sip:sip.tenacit.net <http://sip.tenacit.net>
> ID=cd730f13b37e5f53
>
> 2 minutes before, the client device fails to get to the registration
> part with credentials. Those credentials are still in the device (we
> manage it).
>
> I seriously do not understand how this has taken place. But it appears
> the 2 minutes before where the client device is failing to register was
> part of the attack. Is there any sort of spoofing that can be used make
> the authentication details process packets land up somewhere else?
>
> Would like to get to the bottom of how they got the password on their
> first attempt, so any advice is greatly appreciated.
>
> *From:*Pedro Guillem [mailto:pedro.guillem at gmail.com
> <mailto:pedro.guillem at gmail.com>]
> *Sent:* 27 April 2013 12:05 AM
> *To:* Matthew Ogden
> *Cc:* spce-user
> *Subject:* Re: [Spce-user] server hacked
>
> Creepy!
>
> You can allways block the IP with iptables.. but that obviously will not
> solve the problem.
>
> I´m very new at this, but:
>
> 1) have you tried limiting the IP addresses of your suscribers? Are they
> dynamic?
>
> 2) Did you look at other logs? /var/log/auth.conf /var/log/messages to
> seek for other vectors of attack?
>
> 3) Have you tried using mysql injection on the ngcp web sites?, i´m sure
> the sipwise folks did not miss something as essential as this, but it´s
> worth a try.
>
> 4) are your sip passwords strong enought?
>
> I would take it from there.
>
> Regards
>
> Pedro
>
> On Fri, Apr 26, 2013 at 4:55 PM, Matthew Ogden <matthew at tenacit.net
> <mailto:matthew at tenacit.net>> wrote:
>
> Hi
>
> My server has been hacked…. I’m not sure how.
>
> There were no IPs/Users in Security bans.
>
> Here is the proxy log, I’ve replaced my domain <mydomain>  and the real
> client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.
>
> root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> domain> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain>
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain>
> T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=ba701808665abe0f
>
> Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
> Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
> Authentication failed, no credentials - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New
> request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain>
> T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> <http://198.38.93.188:10053> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> domain> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
> authorization not provisioned, allow registration - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> ID=df4767364b3ca13b
>
> Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts
> successfully saved - R=sip:<my domain> ID=df4767364b3ca13b
>
> Sincerely
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
> http://lists.sipwise.com/listinfo/spce-user
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>

More information about the Spce-user mailing list