[Spce-user] server hacked

[Tim Donahue]

What was the client's endpoint? There was a Grandstream security issue
where the admin password could be bypassed and the sip user credentials
could be recovered.

Tim

Hi



My server has been hacked…. I’m not sure how.



There were no IPs/Users in Security bans.



Here is the proxy log, I’ve replaced my domain <mydomain>  and the real
client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the hackers IP in.





root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log

Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=<REAL CLIENT IP>:5060 (127.0.0.1:5060) ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load prefs
for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
authorization not provisioned, allow registration - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load caller
preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Contacts
successfully saved - R=sip:<my domain> ID=
63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0

Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain>
ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my domain> T=sip:WS001A004@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=ba701808665abe0f

Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
Authentication failed, invalid user - R=sip:<my domain> ID=ba701808665abe0f

Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=df4767364b3ca13b

Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
Authentication failed, no credentials - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New request
- M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my domain> T=sip:WS001A002@<my
domain> IP=198.38.93.188:10053 (127.0.0.1:5060) ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load prefs
for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
authorization not provisioned, allow registration - R=sip:<my domain>
ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load caller
preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and domain part
of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain> ID=df4767364b3ca13b

Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Contacts
successfully saved - R=sip:<my domain> ID=df4767364b3ca13b



Sincerely



_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
http://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130427/44da7fdf/attachment-0001.html>