[Spce-user] server hacked
Matthew Ogden
matthew at tenacit.net
Mon Apr 29 06:16:56 EDT 2013
The interesting thing is the ATA is on an account with very limited
internet access (only access to my country). So this hacking IP would not
have been able to access it... I would have thought.
The hack was on the device as it turns out, they have another account on
there that as also abused.
Its asterisk based. Although this is not an asterisk forum, I highly value
the input from it, if any of you want to mail best pratices to avoid this.
I'm still not sure how the device was hacked, the manager port is not
open, the web port is not open, only the SIP port.
Kind Regards
> -----Original Message-----
> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
> bounces at lists.sipwise.com] On Behalf Of Skyler
> Sent: 27 April 2013 08:45 PM
> To: spce-user at lists.sipwise.com
> Subject: Re: [Spce-user] server hacked
>
> Only way I could see anyone 'getting' the password on a first/second
> attempt is if they actually gained access to the ATA and copied the
> password from there.
>
> Or, if you have http provisioning, maybe from there. I'd grep the mac
and
> look for other IPs than the clients or yours which 200'd the cfg file.
>
> The first failed auth was probably a bad copy/paste.
>
> For SSH, you should change the port and use denyhosts. From there you
> can copy the IPs into spce blocking if you wish as well.
>
> Skyler
>
> On 4/27/2013 3:37 AM, Matthew Ogden wrote:
> > The attack came from a A class that we allow, but actually isn’t in
> > our area. (the block is not continuous).
> >
> > SSH was being hammered as well from a different IP, but it never
> > authenticated, it stopped at Apr 26 19:25:18 spce sshd[31518]: Failed
> > password for root from then.
> >
> > I don’t understand why the IDs of the transactions are so much shorter
> > with no @.
> >
> > I also don’t understand, if they had compromised the system and knew
> > the authentication details, why would they first try use the wrong
> > username? (Almost instantly followed by the right username). There
> > was a previous attempy before that did authenticate:
> >
> > Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>: New
> > request - M=REGISTER R=sip:sip.tenacit.net <http://sip.tenacit.net>
> > F=sip:WS001A002 at sip.tenacit.net
> > <mailto:sip%3AWS001A002 at sip.tenacit.net>
> > T=sip:WS001A002 at sip.tenacit.net
> > <mailto:sip%3AWS001A002 at sip.tenacit.net>
> > IP=198.38.93.188:10052 <http://198.38.93.188:10052> (127.0.0.1:5060
> > <http://127.0.0.1:5060>) ID=cd730f13b37e5f53
> >
> > Apr 26 19:41:54 spce /usr/sbin/kamailio[2169]: INFO: <script>:
> > Authentication failed, no credentials - R=sip:sip.tenacit.net
> > <http://sip.tenacit.net> ID=cd730f13b37e5f53
> >
> > Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: New
> > request - M=REGISTER R=sip:sip.tenacit.net <http://sip.tenacit.net>
> > F=sip:WS001A002 at sip.tenacit.net
> > <mailto:sip%3AWS001A002 at sip.tenacit.net>
> > T=sip:WS001A002 at sip.tenacit.net
> > <mailto:sip%3AWS001A002 at sip.tenacit.net>
> > IP=198.38.93.188:10052 <http://198.38.93.188:10052> (127.0.0.1:5060
> > <http://127.0.0.1:5060>) ID=cd730f13b37e5f53
> >
> > Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load
> > prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' -
> > R=sip:sip.tenacit.net <http://sip.tenacit.net> ID=cd730f13b37e5f53
> >
> > Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: IP
> > authorization not provisioned, allow registration -
> > R=sip:sip.tenacit.net <http://sip.tenacit.net> ID=cd730f13b37e5f53
> >
> > Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>: Load
> > caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> > domain part of uri 'sip:WS001A002 at sip.tenacit.net
> > <mailto:sip%3AWS001A002 at sip.tenacit.net>' - R=sip:sip.tenacit.net
> > <http://sip.tenacit.net> ID=cd730f13b37e5f53
> >
> > Apr 26 19:41:55 spce /usr/sbin/kamailio[2160]: INFO: <script>:
> > Contacts successfully saved - R=sip:sip.tenacit.net
> > <http://sip.tenacit.net>
> > ID=cd730f13b37e5f53
> >
> > 2 minutes before, the client device fails to get to the registration
> > part with credentials. Those credentials are still in the device (we
> > manage it).
> >
> > I seriously do not understand how this has taken place. But it appears
> > the 2 minutes before where the client device is failing to register
> > was part of the attack. Is there any sort of spoofing that can be used
> > make the authentication details process packets land up somewhere
else?
> >
> > Would like to get to the bottom of how they got the password on their
> > first attempt, so any advice is greatly appreciated.
> >
> > *From:*Pedro Guillem [mailto:pedro.guillem at gmail.com
> > <mailto:pedro.guillem at gmail.com>]
> > *Sent:* 27 April 2013 12:05 AM
> > *To:* Matthew Ogden
> > *Cc:* spce-user
> > *Subject:* Re: [Spce-user] server hacked
> >
> > Creepy!
> >
> > You can allways block the IP with iptables.. but that obviously will
> > not solve the problem.
> >
> > I´m very new at this, but:
> >
> > 1) have you tried limiting the IP addresses of your suscribers? Are
> > they dynamic?
> >
> > 2) Did you look at other logs? /var/log/auth.conf /var/log/messages to
> > seek for other vectors of attack?
> >
> > 3) Have you tried using mysql injection on the ngcp web sites?, i´m
> > sure the sipwise folks did not miss something as essential as this,
> > but it´s worth a try.
> >
> > 4) are your sip passwords strong enought?
> >
> > I would take it from there.
> >
> > Regards
> >
> > Pedro
> >
> > On Fri, Apr 26, 2013 at 4:55 PM, Matthew Ogden <matthew at tenacit.net
> > <mailto:matthew at tenacit.net>> wrote:
> >
> > Hi
> >
> > My server has been hacked…. I’m not sure how.
> >
> > There were no IPs/Users in Security bans.
> >
> > Here is the proxy log, I’ve replaced my domain <mydomain> and the
> > real client IP (dynamic IP with <REAL CLIENT IP>. I’ve left the
hackers IP in.
> >
> > root at spce:~# grep "Apr 26 19:42:3" /var/log/ngcp/kamailio-proxy.log
> >
> > Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>: New
> > request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my
> domain>
> > T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060
> (127.0.0.1:5060
> > <http://127.0.0.1:5060>)
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> > <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
> >
> > Apr 26 19:42:30 spce /usr/sbin/kamailio[2159]: INFO: <script>:
> > Authentication failed, no credentials - R=sip:<my domain>
> > ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> > <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
> >
> > Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: New
> > request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my
> domain>
> > T=sip:WS001A002@<my domain> IP=<REAL CLIENT IP>:5060
> (127.0.0.1:5060
> > <http://127.0.0.1:5060>)
> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> > <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
> >
> > Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> > prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> > domain> ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> > <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
> >
> > Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: IP
> > authorization not provisioned, allow registration - R=sip:<my domain>
> > ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> > <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
> >
> > Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>: Load
> > caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> > domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> > ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> > <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
> >
> > Apr 26 19:42:30 spce /usr/sbin/kamailio[2165]: INFO: <script>:
> > Contacts successfully saved - R=sip:<my domain>
> > ID=63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0
> > <mailto:63eea6a11c3d3a0c7658f4016b7edf08 at 0.0.0.0>
> >
> > Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>: New
> > request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my
> domain>
> > T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> > <http://198.38.93.188:10053> (127.0.0.1:5060
> <http://127.0.0.1:5060>)
> > ID=ba701808665abe0f
> >
> > Apr 26 19:42:31 spce /usr/sbin/kamailio[2166]: INFO: <script>:
> > Authentication failed, no credentials - R=sip:<my domain>
> > ID=ba701808665abe0f
> >
> > Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>: New
> > request - M=REGISTER R=sip:<my domain> F=sip:WS001A004@<my
> domain>
> > T=sip:WS001A004@<my domain> IP=198.38.93.188:10053
> > <http://198.38.93.188:10053> (127.0.0.1:5060
> <http://127.0.0.1:5060>)
> > ID=ba701808665abe0f
> >
> > Apr 26 19:42:31 spce /usr/sbin/kamailio[2161]: INFO: <script>:
> > Authentication failed, invalid user - R=sip:<my domain>
> > ID=ba701808665abe0f
> >
> > Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>: New
> > request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my
> domain>
> > T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> > <http://198.38.93.188:10053> (127.0.0.1:5060
> <http://127.0.0.1:5060>)
> > ID=df4767364b3ca13b
> >
> > Apr 26 19:42:32 spce /usr/sbin/kamailio[2169]: INFO: <script>:
> > Authentication failed, no credentials - R=sip:<my domain>
> > ID=df4767364b3ca13b
> >
> > Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: New
> > request - M=REGISTER R=sip:<my domain> F=sip:WS001A002@<my
> domain>
> > T=sip:WS001A002@<my domain> IP=198.38.93.188:10053
> > <http://198.38.93.188:10053> (127.0.0.1:5060
> <http://127.0.0.1:5060>)
> > ID=df4767364b3ca13b
> >
> > Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> > prefs for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' - R=sip:<my
> > domain> ID=df4767364b3ca13b
> >
> > Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: IP
> > authorization not provisioned, allow registration - R=sip:<my domain>
> > ID=df4767364b3ca13b
> >
> > Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>: Load
> > caller preferences for uuid 'aa0c84b3-262e-47f9-9b0d-25890d34faa9' and
> > domain part of uri 'sip:WS001A002@<my domain>' - R=sip:<my domain>
> > ID=df4767364b3ca13b
> >
> > Apr 26 19:42:33 spce /usr/sbin/kamailio[2162]: INFO: <script>:
> > Contacts successfully saved - R=sip:<my domain> ID=df4767364b3ca13b
> >
> > Sincerely
> >
> >
> > _______________________________________________
> > Spce-user mailing list
> > Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
> > http://lists.sipwise.com/listinfo/spce-user
> >
> >
> >
> > _______________________________________________
> > Spce-user mailing list
> > Spce-user at lists.sipwise.com
> > http://lists.sipwise.com/listinfo/spce-user
> >
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
More information about the Spce-user
mailing list