Possible Hack?

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Possible Hack?

Postby bmorrison » Fri Jan 26, 2018 8:52 am

Hi.

Has anyone seen their dialpans magically change in the last couple of days/weeks? On a few of my servers I've seen my dialplans rewritten with the 6666 user from IP address 188.161.18.171.

At first I thought these edits were from a manger who was playing with the dial plans, but then I started seeing edits from this IP on other servers with other organizations. Uh oh.

IP address is sourced from Palestine.

Each server has different unique, randomly generated passwords. All my systems haven't been hit yet, and all they're doing is rewriting dialplans to something like:

Code: Select all
exten => _9.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _9.,2,Dial(${TELNYX}/${EXTEN:1},,To)
exten => _9.,3,Dial(${TELNYX2}/${EXTEN:1},,To)
exten => _9.,4,Hangup

exten => _8.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _8.,2,Dial(${TELNYX}/${EXTEN:2},,To)
exten => _8.,3,Dial(${TELNYX2}/${EXTEN:2},,To)
exten => _8.,4,Hangup

exten => _7.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _7.,2,Dial(${TELNYX}/1${EXTEN:1},,To)
exten => _7.,3,Dial(${TELNYX2}/1${EXTEN:1},,To)
exten => _7.,4,Hangup

exten => _5.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _5.,2,Dial(${TELNYX}/1${EXTEN},,To)
exten => _5.,3,Dial(${TELNYX2}/1${EXTEN},,To)
exten => _5.,4,Hangup


When all that was there before was a 10 digit match with a 9 prefix. But, obviously, if more people than me are seeing this, then we have a problem.
bmorrison
 
Posts: 94
Joined: Wed Jul 09, 2008 11:26 pm
Location: United States

Re: Possible Hack?

Postby mflorell » Fri Jan 26, 2018 4:35 pm

We have seen some of our older client systems get broken into before, usually it is through a brute force attack, but sometimes it is using one of the older VICIdial known exploits on an un-patched system. What is the version and build of the admin.php of the systems that have been compromised?
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Possible Hack?

Postby bmorrison » Fri Jan 26, 2018 4:44 pm

They're varying ages and builds. The three effected were built in the last year or so.

After calling these clients and informing them that they've been hacked, I queried the passwords in the database.

These are actual passwords used on these systems:

0000
12345

And my favorite:

MyPassword

I think a script kiddie hit a few of my client's systems, brute forced an admin, got the 6666 password, and started playing with the dialplans. I've told the clients affected about the necessity of strong passwords, whitelisted where I was allowed (many outright reject whitelisting because it can be a major pita even thought SIP theft is far more painful), and wept a tear for common sense.

So, least the community should know someone is Gaza is scanning for Vicidial systems and bruting passwords.

I should take the time to implement a two-factor option on Vicidial because I'm seeing incredibly bad passwords more and more often.
bmorrison
 
Posts: 94
Joined: Wed Jul 09, 2008 11:26 pm
Location: United States


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 55 guests