Having your production Asterisk-based phone system hacked is no fun, as I have learned from first-hand experience over the past few days. Even the best of IT administrators taking ever security precaution in the book dreads the day their critical server gets hacked. You hope you've done everything possible to stop your servers from being hacked, but you are never 100% sure. There is always some hacker smarter than you, but more importantly, smarter than the best security practices you put in place. Hackers always seem to find a new hole to exploit.
Since I spent the last couple days poring through the Linux system logs and the Asterisk logs, I thought I'd do a detailed post-mortem for the benefit of other Asterisk users. Let us begin...
The first sign of trouble was a few months ago when our international calling was blocked by our service provider for suspicious international calls to Middle East countries. I investigated the Asterisk-based server for any SIP credentials that were easily attacked. There was only a couple of SIP credentials (test softphone accounts) with slightly easily guessed SIP credentials, however it didn't appear these accounts were using in the hacks since the CDR records didn't show these fraudulent calls as coming from these accounts. I changed the SIP passwords anyway just to be safe. To be double sure, I had technical support login to the box and make sure everything was secure. They did see some calls being made from the Asterisk CLI and technical support suggested I change the 'root' password, which I did even though it was a long password. They didn't see anything else out of the ordinary, but they obviously missed something since a month later we were hit again...
0 comments:
Post a Comment