TMCNet:  Hacked Asterisk PBX Update

[January 12, 2012]

Hacked Asterisk PBX Update

Originally posted on VoIP & Gadgets Blog, here: http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-asterisk-pbx-update.asp.

masked-hacker-with-hat.jpg
I wanted to give an update to my Asterisk Hack Post-mortem article. By the way, I love this image of a hacker sporting a fedora in case you're wondering why I used it in both articles!

I found this interesting error in the logs:
zdump[27161]: error: Bind to port 10001 on 0.0.0.0 failed: Address already in use.


I knew zdump was a Linux command related to timezone stuff, but it shouldn't be taking a port. I found the zdump command:
[root]/var/log/bak2>ll /usr/bin/zdump
-rwxr-xr-x  1 root root 240512 Jan  6 13:36 /usr/bin/zdump


The date and time were roughly around the time of the hack. I attempted to run it (nothing to lose) by typing this command which should output various timezone information, but look at the output it gave me:
[root]/usr/bin/zdump>./zdump -v /etc/localtime
zdump: illegal option -- v
sshd version OpenSSH_5.4p1
Usage: zdump [options]
Options:
  -f file    Configuration file (default /usr/include/X11/.fonts/sshd_config)
  -d         Debugging mode (multiple -d means more debugging)
  -i         Started from inetd
  -D         Do not fork into daemon mode
  -t         Only test configuration file and keys
  -q         Quiet (no logging)
  -p port    Listen on the specified port (default: 22)
  -k seconds Regenerate server key every this many seconds (default: 3600)
  -g seconds Grace period for authentication (default: 600)
  -b bits    Size of server RSA key (default: 768 bits)
  -h file    File from which to read host key (default:

/usr/include/X11/.fonts/ssh_host_key)
  -u len     Maximum hostname length for utmp recording
  -4         Use IPv4 only
  -6         Use IPv6 only
  -o option  Process the option as if it was read from a configuration file.


It's a friggin OpenSSH process! This allows an SSH session using port 10001 instead of 22. The hacker was setting up a backdoor, but chose a port that was already taken.

Now it really gets interesting.
Looking at the message.x logs I saw this:
Jan  8 13:58:58 asterisk sshd[30940]: Failed password for root from ::ffff:204.145.81.138 port 38401 ssh2
Jan  8 13:58:58 asterisk sshd[30942]: Accepted password for PlcmSpIp from ::ffff:204.145.81.138 port 38418 ssh2


First 204.145.81.138 tried to authenticate as 'root'. After failing, its password was accepted for 'PlcmSpIp'. What the heck?

So I did a whois:
http://whatismyipaddress.com/ip/204.145.81.138

General IP Information
IP:    204.145.81.138
Decimal:    3432075658
Hostname:    welinknyc.dmarc.lga4.atlanticmetro.net
ISP:    Atlantic Metro Communications
Organization:    We Link Networks LLC
Services:    None detected
Type:    Corporate
Assignment:    Static IP

Not very useful info there, since it looks like an ISP. However, when I browse directly to the IP address:
http://204.145.81.138/

goautodial-logo.jpgI see a company name called GoAutoDial. The description says "GoAutoDial is an enterprise grade open source call center system. Scalable to hundreds of seats and can utilize VoIP, ISDN or analog trunks. GoAutoDial (formerly VicidialNOW) is an enterprise grade open source predictive dialer system. It automatically installs Vicidial, Mysql, PHP, Asterisk, VtigerCRM and other components to have a fully functional open source predictive dialer system. It has out of the box supprt for Sangoma and Digium telephony hardware and is scalable to hundreds of seats. ".


Well, now that's interesting. An open source Asterisk predictive dialer? They obviously know Asterisk and they obviously know all about bulk dialing. Perhaps their business model is to crack Asterisk boxes and resell the minutes? I don't want to make any accusations without any cold hard facts, so I reached out to them via their support online form. There was no phone number to call them or I would have. I gave them 24 hours to respond but they never contacted me back.

This is not an admission of guilt on their part. For all I know their support person didn't know how to deal with my request to contact me regarding the hack coming from their IP address. Even still, the log file where I saw this IP address could have been modified to "frame" GoAutoDial. Though that's mighty fishy. Perhaps one of their servers was hacked and from one of their hacked boxes they jumped onto my Asterisk box over SSH.

Still, what are the odds that a company that uses Asterisk to run their business would get hacked and then log onto my box running Asterisk? I'd venture a guess that less than 1% of all Linux boxes run Asterisk, so the odds seem pretty small to me. Still, I'll give them the benefit of the doubt and if they reach out to me I'll be glad to update this article.

Now, more about this 'PlcmSpIp' account. When I was securing /etc/passwd yesterday I saw that it was set correctly, i.e. no bash login:

PlcmSpIp:x:99:99::/tftpboot:/sbin/nologin

I also saw it as the last line in the /etc/shadow file, so it does have a password:
PlcmSpIp:$1$1oQ4Yhar$x7uCjUCfPustrRQh9EFtQ1:15301:0:99999:7:::

I remembered coming across this username somewhere, so I googled it and it mentioned it's Polycom's default username and the password isn't randomized and that the password is simply 'PlcmSpIp' . I'll have to check to see if one of my other Asterisk boxes has this same hashed password.

But even if the hacker knew the default Polycom username & password (PlcmSpIp), I'm not sure how this Polycom account was able to SSH in since it didn't have bash access.

Did some more digging and saw some security alerts on PlcmSpIp:
http://www.mail-archive.com/sipx-users@list.sipfoundry.org/msg04452.html

http://www.thirdlane.com/forum/ftp

I'm might try temporarily setting this account to allow SSH login and try and authenticate using password="PlcmSpIp". Though that just proves Polycom sets this account to an easy default password. Still doesn't explain how they were able to SSH using this account. This could be a major security flaw if indeed you can gain bash access using Polycom's default credentials.

Stay tuned for more updates...

Tags: , , , , , , , , Related tags: , , , , ,

Related Entries
  • AstriCon VoIP Security - $400,000 toll fraud - YIKES! - Oct 26, 2011
    astricon-2011-logo.jpg
  • Top 20 VoIP Innovators of All Time - Jun 13, 2011
    voip.jpg
  • Cracking IP-PBX SIP Passwords - Be Afraid! - Jun 28, 2010
    chris-lyman.jpg
  • Hacking trixbox Pro to Work with ClearOne Max IP - Apr 27, 2010
    clearone-general-settings.jpg
  • AsteriskNow Now Has 1-Click Features - Jan 24, 2007
  • Fonality Names Former Microsoft Exec David Scult as CEO - Jan 10, 2012
    david-scult.jpg
  • Asterisk Hack Post-mortem - Jan 10, 2012
    goautodial-logo.jpg
  • Sprint Nextel Throws Out 489 PBXs - Switches 100% to Microsoft Lync - Dec 16, 2011
    sprint-before-lync-deployed.png
  • Polycom RealPresence Connects Non-standard TIP TelePresence Systems - Nov 16, 2011
    TIP_Cisco_02.jpg
  • Digium (Unofficially) Announces R-Series Redundancy Analog & PRI Appliances - Oct 27, 2011
    digium-jason-parker-astricon2.jpg
  • TrackBacks | Comments | Tag with del.icio.us | VoIP & Gadgets Blog Home | Permalink: Hacked Asterisk PBX Update



    [ Back To TechZone360's Homepage ]


    blog comments powered by Disqus

    TechZone360
    Twitter

    FOLLOW TECHZONE360


    EDITOR'S CHOICE


    WHAT'S HOT @ TECHZONE360



    Featured Magazines - Subscribe for FREE


    Featured Events