SOLVED Possible Hack in FusionPBX

[bazket]

Hi all,

Today I got these under the CDR reports.
Luckily, I have not set any routing hence it didn't go through.
Is my FusionPBX server compromised?

Kindly help to advise how to prevent those hacks.
The censored portion is my server IP. It looks like SQL injection with or syntax.

BTW, is there any tutorial / script / tools to just allow certain country to access my FusionPBX server + Fail2Ban?

Kindly help.
Thank you guys...

 

[Incubugs]

Yes looks like you have been hacked to me. Have you changed the freeswitch password from cluecon. Next have you used easy oasswords for users and also have you locked down acl ? Have you opened your sql.ports or ssh to tge internet .

 

[s1766333]

Today this is a common attack. SQL injection protection was improved in all lua scripts in FusionPBX 4.2.1. Check your version of FusionPBX on the dashboard or status -> system status page. If your version is newer than that you should be fine.

"Have you changed the freeswitch password from cluecon."
Event socket listens only on 127.0.0.1 by default. If you change the IP address event socket uses then changing the password is important.

 

[bazket]

Hi all,

Thanks for the feedback. I used strong minimum 8 length password with combination also.
Fail2ban also in place.

1. Based on the CDR, did the hacker manage to get access to my server to call without autehntication? or it is just brute force-ing attempt to break into my server with mysql injection technique? the server version is 4.2.5 but i got the same log from server 4.4 also.

2. Where is the location of event_socket.conf.xml in fusion? I tried google to change the freeswitch password but it seems the directory structure is different. Please help on quick guide on how to change the password properly.

3. Any solution for geoip location to allow only 1 country to access my server with fail2ban still in place? I read tutorial and can only manage to choose either one. geoip works on block all first and allow few IP range, while fail2ban works the otherway, alllow all, then block selected IP for brute force attempt. any way to combine both system?

Thank you.

 

[bazket]

I changed it here is it correct /etc/freeswitch/autoload_configs/event_socket.conf.xml ?

It is localhost 127.0.0.1 and password was ClueCon. So is this how the hacker got in?

<configuration name="event_socket.conf" description="Socket Client">
<settings>
<param name="nat-map" value="false"/>
<param name="listen-ip" value="127.0.0.1"/>
<param name="listen-port" value="8021"/>
<param name="password" value="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"/>
<!--<param name="apply-inbound-acl" value="lan"/>-->
</settings>
</configuration>

 

[DigitalDaz]

You cannot say this is a hack in any way shape or form, click the eyeball at the end of one of the rows and then post the information in there, these could simply be hitting port 5080 and be coming in as inbound.

 

[bazket]

Hi DigitalDaz,

Thanks for your reply.

Below are the details. I give 2 examples.
I changed my public IP to 111.111.111.111 as cencored.

1 hacker use some kind of sql injection in caller ID : "a''or''s=s--@111.111.111.111>" >
However, another one use just normal : "111128411468" <111128411468>

Both seems able to bypass the autentication and make calls.

It seems the hacker is using external profile. Anyway to prevent this from happening?
I see there is accept-blind-auth = true in internal profile but none in external profile. is this the cause?

I have fail2ban in place but it seems the hacker manage to bypass the authentication.

Thanks.

Summary  
Direction    Name    Number    Destination    Start    End    Duration    Status
inbound    111128411468    111128411468    900442080503039    2018-06-24 16:48:23    2018-06-24 16:48:23    0    NO_ROUTE_DESTINATION


Channel Data  
Name    Value
caps     1=1;2=1;3=1;4=1;5=1;6=1
flags     0=1;38=1;40=1;53=1;112=1
state     CS_REPORTING
direction     inbound
state_number     11


Variables  
Name    Value
uuid    07bbcc47-777f-45c6-815b-d5729da9d685
billsec    0
waitsec    0
billmsec    0
billusec    0
duration    0
waitmsec    0
waitusec    0
answersec    0
call_uuid    07bbcc47-777f-45c6-815b-d5729da9d685
caller_id    "111128411468" <111128411468>
direction    inbound
dtmf_type    rfc2833
end_epoch    1529833703
end_stamp    2018-06-24 16:48:23
mduration    40
read_rate    16000
sip_allow    INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
uduration    39961
answermsec    0
answerusec    0
end_uepoch    1529833703570902
read_codec    G722
session_id    7
sip_to_uri    900442080503039@111.111.111.111:5080
write_rate    16000
progresssec    0
sip_call_id    F3SaFaciiXo3NvHmczj7bi..
sip_full_to  
sip_req_uri    900442080503039@111.111.111.111:5080
sip_to_host    111.111.111.111
sip_to_port    5080
sip_to_user    900442080503039
start_epoch    1529833703
start_stamp    2018-06-24 16:48:23
write_codec    G722
answer_epoch    0
bridge_epoch    0
channel_name    sofia/external/111128411468@217.182.197.186:5060
flow_billsec    0
hangup_cause    NO_ROUTE_DESTINATION
max_forwards    70
progressmsec    0
progressusec    0
sip_from_tag    phdkennd
sip_from_uri    111128411468@217.182.197.186:5060
sip_full_via    SIP/2.0/UDP
217.182.197.186:5060;branch=z9hG4bK-895019-1---sud3d1qnldlhbmqx;rport=5060
sip_req_host    111.111.111.111
sip_req_port    5080
sip_req_user    900442080503039
sip_via_host    217.182.197.186
sip_via_port    5060
start_uepoch    1529833703530941
switch_r_sdp    v=0 o=Z 0 0 IN IP4 217.182.197.186 s=Z c=IN IP4 217.182.197.186 t=0
0 m=audio 8000 RTP/AVP 106 9 18 3 111 0 8 97 110 112 98 101 100 99
102 a=rtpmap:106 opus/48000/2 a=fmtp:106 minptime=20; cbr=1;
maxaveragebitrate=40000; useinbandfec=1 a=rtpmap:18 G729/8000 a=fmtp:18
annexb=no a=rtpmap:111 speex/16000 a=rtpmap:97 iLBC/8000 a=fmtp:97
mode=20 a=rtpmap:110 speex/8000 a=rtpmap:112 speex/32000 a=rtpmap:98
telephone-event/48000 a=fmtp:98 0-16 a=rtpmap:101
telephone-event/8000 a=fmtp:101 0-16 a=rtpmap:100
telephone-event/16000 a=fmtp:100 0-16 a=rtpmap:99
telephone-event/32000 a=fmtp:99 0-16 a=rtpmap:102 G726-32/8000
answer_uepoch    0
bridge_uepoch    0
flow_billmsec    0
flow_billusec    0
hold_accum_ms    0
sip_from_host    217.182.197.186
sip_from_port    5060
sip_from_user    111128411468
sip_full_from    ;tag=phdkennd
sip_to_params    transport=UDP
sip_via_rport    5060
progress_epoch    0
sip_network_ip    217.182.197.186
sip_req_params    transport=UDP
sip_user_agent    M 5.2.19 rv3.8.95
ep_codec_string    mod_spandsp.G722@8000h@20i@64000b,mod_g729.G729@8000h@20i@8000b,mod_spandsp
.GSM@8000h@20i@13200b,CORE_PCM_MODULE.PCMU@8000h@20i@64000b,CORE_PCM_MODULE
.PCMA@8000h@20i@64000b
hold_accum_usec    0
last_hold_epoch    0
progress_uepoch    0
remote_media_ip    217.182.197.186
resurrect_epoch    0
sip_contact_uri    111128411468@217.182.197.186:5060
sip_from_params    transport=UDP
sip_received_ip    217.182.197.186
audio_media_flow    sendrecv
last_hold_uepoch    0
resurrect_uepoch    0
sip_contact_host    217.182.197.186
sip_contact_port    5060
sip_contact_user    111128411468
sip_invite_stamp    1529833703530941
sip_network_port    5060
sip_via_protocol    udp
video_media_flow    sendrecv
hangup_cause_q850    3
progress_mediasec    0
remote_media_port    8000
rtp_audio_recv_pt    9
sip_received_port    5060
hold_accum_seconds    0
original_read_rate    16000
progress_mediamsec    0
progress_mediausec    0
rtp_use_codec_name    G722
rtp_use_codec_rate    8000
sip_contact_params    transport=UDP
sofia_profile_name    external
original_read_codec    G722
profile_start_epoch    1529833703
profile_start_stamp    2018-06-24 16:48:23
rtp_use_codec_ptime    20
endpoint_disposition    RECEIVED
profile_start_uepoch    1529833703530941
progress_media_epoch    0
rtp_use_codec_string    G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM,G729
progress_media_uepoch    0
recovery_profile_name    external
rtp_use_codec_channels    1
sip_from_user_stripped    111128411468
sip_hangup_disposition    send_refuse
sip_local_network_addr    111.111.111.111
rtp_last_audio_codec_string    G722@8000h@20i@1c


Application Log  
Name    Data


Call Flow: Attributes  
Name    Value
dialplan     XML
unique-id     f88cc4bc-d383-4ed2-8797-766a99c63713
profile_index     1


Call Flow: Extension: Attributes  
Name    Value


Call Flow: Extension: Application  
Name    Data


Call Flow: Caller Profile  
Name    Value
ani     111128411468
uuid     07bbcc47-777f-45c6-815b-d5729da9d685
aniii  
rdnis  
source     mod_sofia
context     public
dialplan     XML
username     111128411468
chan_name     sofia/external/111128411468@217.182.197.186:5060
network_addr     217.182.197.186
callee_id_name  
caller_id_name     111128411468
callee_id_number  
caller_id_number     111128411468
destination_number     900442080503039


Call Flow: Times  
Name    Value
hangup_time     1529833703570902
bridged_time     0
created_time     1529833703530941
answered_time     0
progress_time     0
transfer_time     0
last_hold_time     0
resurrect_time     0
hold_accum_time     0
progress_media_time     0
profile_created_time     1529833703530941

Call Details
A detailed view of the call and all information regarding it. The information contains caller id name and number, channel data, Call variables, call flow, timing information, and other useful call details.


Summary  
Direction    Name    Number    Destination    Start    End    Duration    Status
inbound    a''''or''''s=s--@111.111.111.111>    a''''or''''s=s--@111.111.111.111>    2442821788114    2018-06-21 07:08:32    2018-06-21 07:08:32    0    NORMAL_CLEARING


Channel Data  
Name    Value
caps     1=1;2=1;3=1;4=1;5=1;6=1
flags     0=1;38=1;40=1;53=1;113=1
state     CS_REPORTING
direction     inbound
state_number     11


Variables  
Name    Value
uuid    403aa371-0bba-435d-a3e9-e96f356ee04c
billsec    0
waitsec    0
billmsec    0
billusec    0
duration    0
last_app    log
last_arg    [inbound routes] 404 not found 23.247.30.11
waitmsec    0
waitusec    0
answersec    0
call_uuid    403aa371-0bba-435d-a3e9-e96f356ee04c
caller_id    "a''or''s=s--@111.111.111.111>" >
direction    inbound
dtmf_type    rfc2833
end_epoch    1529539712
end_stamp    2018-06-21 07:08:32
mduration    20
read_rate    8000
sip_allow    INVITE, ACK, CANCEL, BYE
uduration    19977
answermsec    0
answerusec    0
end_uepoch    1529539712414448
read_codec    G729
session_id    1061
sip_to_uri    2442821788114@111.111.111.111
write_rate    8000
export_vars    call_direction,call_direction
progresssec    0
sip_call_id    73ba361d9891c54fd5b0b6665e70e3a6
sip_full_to    2442821788114
sip_req_uri    2442821788114@111.111.111.111:5080
sip_to_host    111.111.111.111
sip_to_user    2442821788114
start_epoch    1529539712
start_stamp    2018-06-21 07:08:32
write_codec    G729
answer_epoch    0
bridge_epoch    0
channel_name    sofia/external/a''or''s=s--@111.111.111.111>@nowhere
flow_billsec    0
hangup_cause    NORMAL_CLEARING
max_forwards    70
progressmsec    0
progressusec    0
sip_from_tag    2b2a1011
sip_from_uri    a''or''s=s--@111.111.111.111>@nowhere
sip_full_via    SIP/2.0/UDP
23.247.30.11:5071;branch=z9hG4bK-73ba361d9891c54fd5b0b6665e70e3a6;rport=507
1
sip_req_host    111.111.111.111
sip_req_port    5080
sip_req_user    2442821788114
sip_via_host    23.247.30.11
sip_via_port    5071
start_uepoch    1529539712394471
switch_r_sdp    v=0 o=sipcli-Session 191655062 1813621958 IN IP4
23.247.30.11 s=sipcli c=IN IP4 23.247.30.11 t=0 0 m=audio 5073 RTP/AVP
18 0 8 101 a=rtpmap:18 G729/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8
PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=ptime:20
answer_uepoch    0
bridge_uepoch    0
flow_billmsec    0
flow_billusec    0
hold_accum_ms    0
sip_from_host    nowhere
sip_from_user    a''or''s=s--@111.111.111.111>
sip_full_from    a''or''s=s--;tag=2b2a1011
sip_via_rport    5071
call_direction    inbound
caller_id_name    a''or''s=s--@111.111.111.111>
progress_epoch    0
sip_network_ip    23.247.30.11
sip_to_display    2442821788114
sip_user_agent    FreePBX 1.8
ep_codec_string    mod_g729.G729@8000h@20i@8000b,CORE_PCM_MODULE.PCMU@8000h@20i@64000b,CORE_PC
M_MODULE.PCMA@8000h@20i@64000b
hold_accum_usec    0
last_hold_epoch    0
progress_uepoch    0
remote_media_ip    23.247.30.11
resurrect_epoch    0
sip_contact_uri    a''or''s=s--@23.247.30.11:5071
sip_received_ip    23.247.30.11
audio_media_flow    sendrecv
caller_id_number    a''or''s=s--@111.111.111.111>
last_hold_uepoch    0
resurrect_uepoch    0
sip_contact_host    23.247.30.11
sip_contact_port    5071
sip_contact_user    a''or''s=s--
sip_invite_stamp    1529539712394471
sip_network_port    5071
sip_via_protocol    udp
video_media_flow    sendrecv
hangup_cause_q850    16
progress_mediasec    0
remote_media_port    5073
rtp_audio_recv_pt    18
sip_received_port    5071
caller_destination    2442821788114
hold_accum_seconds    0
original_read_rate    8000
progress_mediamsec    0
progress_mediausec    0
rtp_use_codec_name    G729
rtp_use_codec_rate    8000
sofia_profile_name    external
current_application    log
original_read_codec    G729
profile_start_epoch    1529539712
profile_start_stamp    2018-06-21 07:08:32
rtp_use_codec_ptime    20
endpoint_disposition    RECEIVED
profile_start_uepoch    1529539712394471
progress_media_epoch    0
rtp_use_codec_string    G7221@32000h,G7221@16000h,G722,PCMU,PCMA,H264,G729,bcg_729
progress_media_uepoch    0
recovery_profile_name    external
rtp_use_codec_channels    1
sip_from_user_stripped    a''or''s=s--@111.111.111.111>
sip_hangup_disposition    send_refuse
sip_local_network_addr    111.111.111.111
current_application_data    [inbound routes] 404 not found 23.247.30.11
rtp_last_audio_codec_string    G729@8000h@20i@1c


Application Log  
Name    Data
export     call_direction=inbound
set     caller_destination=2442821788114
set     caller_id_name=a''or''s=s--@111.111.111.111>
set     caller_id_number=a''or''s=s--@111.111.111.111>
export     call_direction=inbound
set     call_direction=inbound
log     [inbound routes] 404 not found 23.247.30.11


Call Flow: Attributes  
Name    Value
dialplan     XML
unique-id     67489e2f-a478-4909-8bc3-025c30fb098d
profile_index     1


Call Flow: Extension: Attributes  
Name    Value
name     caller-details
number     2442821788114


Call Flow: Extension: Application  
Name    Data


Call Flow: Caller Profile  
Name    Value
ani     a''or''s=s--@111.111.111.111>
uuid     403aa371-0bba-435d-a3e9-e96f356ee04c
aniii  
rdnis  
source     mod_sofia
context     public
dialplan     XML
username     a''or''s=s--@111.111.111.111>
chan_name     sofia/external/a''or''s=s--@111.111.111.111>@nowhere
network_addr     23.247.30.11
callee_id_name  
caller_id_name     a''or''s=s--@111.111.111.111>
callee_id_number  
caller_id_number     a''or''s=s--@111.111.111.111>
destination_number     2442821788114


Call Flow: Times  
Name    Value
hangup_time     1529539712414448
bridged_time     0
created_time     1529539712394471
answered_time     0
progress_time     0
transfer_time     0
last_hold_time     0
resurrect_time     0
hold_accum_time     0
progress_media_time     0
profile_created_time     1529539712394471

 

[DigitalDaz]

Yes,

They were simply probing the external profile, nothing to worry about at all:

900442080503039@111.111.111.111:5080<---------------------------------------- External Profile

If you want to stop the irritation of it, block all traffic destined to port 5080 except for carrier IPs.

 

[bazket]

Yes,

They were simply probing the external profile, nothing to worry about at all:

900442080503039@111.111.111.111:5080<---------------------------------------- External Profile

If you want to stop the irritation of it, block all traffic destined to port 5080 except for carrier IPs.

so this is normal?
and my server is safe / not compromised?

If it is only probing, why it is able to get into the CDR and able to perform calls?
it should be rejected because the user / domain is wrong in the first place right?

sorry if asking alot, trying to learn =)

Thanks.

 

[DigitalDaz]

What do you mean perform calls? Show me a single CDR where it performed a call??

And yes unfortunately failed calls show up in the CDR, we should look at this maybe.

It DID get rejected!

 

[bazket]

Noted with thanks.

Is there a way to replicate this?
I would like to learn more in depth on how the hacker do this probing & better understand this scenario in future.

Thanks alot for your guide.

 

[DigitalDaz]

All they did was sent a call to port 5080 instead of 5060.

5080 is unathenticated basically and handles incoming DID numbers. If its not a valid did, you will get an error as you have seen.

 

[bazket]

Hi DigitalDaz,

I manage to replicate those based on your input. Thanks a lot.

So here how to solve it :

Under external sip profile. put these :
<param name="auth-calls" value="true"/>

It will block all those probing attemps and it wont show in CDR.

But my next question, why the default setting is false?
Any disadvantages if i put it as true?

 

[DigitalDaz]

Yes, absolutely, there is nothing to solve here, put that to true and you carriers may not be able to send inbound calls.

You are trying to solve a problem that doesn't exist.

 

[Incubugs]

I think digital daz is correct looking at this again, he can probably read traces better than i, what i would do if you can is restrict port 5080 to your providers IP on your firewall, if you are using a draytek or sonicwall its quite easy, if you are in the cloud then refer to the VPS instructions, its always better to stop any potential hacker form getting to the system at all with a good firewall in place. I would also block 5060 as well unless you have road warriors in which case maybe think about VPN access from the mobile / laptop etc to be safe.

 

[markjcrane]

This is a SIP attack attempt. Its a common thing today. They are attempting to do a SQL injection attack. Should be safe as long as you are not using an old version of FusionPBX. If you are then I suggest upgrading to latest 4.4 or 4.5. FusionPBX 4.5 has the best security.