Hacked Asterisk PBX Update
Originally posted on VoIP & Gadgets Blog, here: http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-asterisk-pbx-update.asp.
I wanted to give an update to my Asterisk Hack Post-mortem article. By the way, I love this image of a hacker sporting a fedora in case you're wondering why I used it in both articles!
I found this interesting error in the logs: zdump[27161]: error: Bind to port 10001 on 0.0.0.0 failed: Address already in use.
I knew zdump was a Linux command related to timezone stuff, but it shouldn't be taking a port. I found the zdump command: [root]/var/log/bak2>ll /usr/bin/zdump -rwxr-xr-x 1 root root 240512 Jan 6 13:36 /usr/bin/zdump
The date and time were roughly around the time of the hack. I attempted to run it (nothing to lose) by typing this command which should output various timezone information, but look at the output it gave me: [root]/usr/bin/zdump>./zdump -v /etc/localtime zdump: illegal option -- v sshd version OpenSSH_5.4p1 Usage: zdump [options] Options: -f file Configuration file (default /usr/include/X11/.fonts/sshd_config) -d Debugging mode (multiple -d means more debugging) -i Started from inetd -D Do not fork into daemon mode -t Only test configuration file and keys -q Quiet (no logging) -p port Listen on the specified port (default: 22) -k seconds Regenerate server key every this many seconds (default: 3600) -g seconds Grace period for authentication (default: 600) -b bits Size of server RSA key (default: 768 bits) -h file File from which to read host key (default:
/usr/include/X11/.fonts/ssh_host_key) -u len Maximum hostname length for utmp recording -4 Use IPv4 only -6 Use IPv6 only -o option Process the option as if it was read from a configuration file.
It's a friggin OpenSSH process! This allows an SSH session using port 10001 instead of 22. The hacker was setting up a backdoor, but chose a port that was already taken.
Now it really gets interesting. Looking at the message.x logs I saw this: Jan 8 13:58:58 asterisk sshd[30940]: Failed password for root from ::ffff:204.145.81.138 port 38401 ssh2 Jan 8 13:58:58 asterisk sshd[30942]: Accepted password for PlcmSpIp from ::ffff:204.145.81.138 port 38418 ssh2
First 204.145.81.138 tried to authenticate as 'root'. After failing, its password was accepted for 'PlcmSpIp'. What the heck?
So I did a whois: http://whatismyipaddress.com/ip/204.145.81.138
General IP Information IP: 204.145.81.138 Decimal: 3432075658 Hostname: welinknyc.dmarc.lga4.atlanticmetro.net ISP: Atlantic Metro Communications Organization: We Link Networks LLC Services: None detected Type: Corporate Assignment: Static IP
Not very useful info there, since it looks like an ISP. However, when I browse directly to the IP address: http://204.145.81.138/
I see a company name called GoAutoDial. The description says "GoAutoDial is an enterprise grade open source call center system. Scalable to hundreds of seats and can utilize VoIP, ISDN or analog trunks. GoAutoDial (formerly VicidialNOW) is an enterprise grade open source predictive dialer system. It automatically installs Vicidial, Mysql, PHP, Asterisk, VtigerCRM and other components to have a fully functional open source predictive dialer system. It has out of the box supprt for Sangoma and Digium telephony hardware and is scalable to hundreds of seats. ".
Well, now that's interesting. An open source Asterisk predictive dialer? They obviously know Asterisk and they obviously know all about bulk dialing. Perhaps their business model is to crack Asterisk boxes and resell the minutes? I don't want to make any accusations without any cold hard facts, so I reached out to them via their support online form. There was no phone number to call them or I would have. I gave them 24 hours to respond but they never contacted me back.
This is not an admission of guilt on their part. For all I know their support person didn't know how to deal with my request to contact me regarding the hack coming from their IP address. Even still, the log file where I saw this IP address could have been modified to "frame" GoAutoDial. Though that's mighty fishy. Perhaps one of their servers was hacked and from one of their hacked boxes they jumped onto my Asterisk box over SSH.
Still, what are the odds that a company that uses Asterisk to run their business would get hacked and then log onto my box running Asterisk? I'd venture a guess that less than 1% of all Linux boxes run Asterisk, so the odds seem pretty small to me. Still, I'll give them the benefit of the doubt and if they reach out to me I'll be glad to update this article.
Now, more about this 'PlcmSpIp' account. When I was securing /etc/passwd yesterday I saw that it was set correctly, i.e. no bash login:
PlcmSpIp:x:99:99::/tftpboot:/sbin/nologin
I also saw it as the last line in the /etc/shadow file, so it does have a password: PlcmSpIp:$1$1oQ4Yhar$x7uCjUCfPustrRQh9EFtQ1:15301:0:99999:7:::
I remembered coming across this username somewhere, so I googled it and it mentioned it's Polycom's default username and the password isn't randomized and that the password is simply 'PlcmSpIp' . I'll have to check to see if one of my other Asterisk boxes has this same hashed password.
But even if the hacker knew the default Polycom username & password (PlcmSpIp), I'm not sure how this Polycom account was able to SSH in since it didn't have bash access.
Did some more digging and saw some security alerts on PlcmSpIp: http://www.mail-archive.com/[email protected]/msg04452.html
http://www.thirdlane.com/forum/ftp
I'm might try temporarily setting this account to allow SSH login and try and authenticate using password="PlcmSpIp". Though that just proves Polycom sets this account to an easy default password. Still doesn't explain how they were able to SSH using this account. This could be a major security flaw if indeed you can gain bash access using Polycom's default credentials.
Stay tuned for more updates...
Tags: asterisk, hack, hacker, openssh, PlcmSpIp, polycom, ssh, voip, zdump
Related tags: password plcmspip, predictive dialer, username password, dialer system, source predictive, asterisk
Related Entries
AstriCon VoIP Security - $400,000 toll fraud - YIKES! - Oct 26, 2011
Top 20 VoIP Innovators of All Time - Jun 13, 2011
Cracking IP-PBX SIP Passwords - Be Afraid! - Jun 28, 2010
Hacking trixbox Pro to Work with ClearOne Max IP - Apr 27, 2010
AsteriskNow Now Has 1-Click Features - Jan 24, 2007
Fonality Names Former Microsoft Exec David Scult as CEO - Jan 10, 2012
Asterisk Hack Post-mortem - Jan 10, 2012
Sprint Nextel Throws Out 489 PBXs - Switches 100% to Microsoft Lync - Dec 16, 2011
Polycom RealPresence Connects Non-standard TIP TelePresence Systems - Nov 16, 2011
Digium (Unofficially) Announces R-Series Redundancy Analog & PRI Appliances - Oct 27, 2011
TrackBacks
| Comments | Tag with del.icio.us | VoIP & Gadgets Blog Home | Permalink: Hacked Asterisk PBX Update
[ Back To TMCnet.com's Homepage ]
|