Hacked Asterisk PBX Update

Tom Keating : VoIP & Gadgets Blog
Tom Keating
CTO
| VoIP & Gadgets blog - Latest news in VoIP & gadgets, wireless, mobile phones, reviews, & opinions

Hacked Asterisk PBX Update

masked-hacker-with-hat.jpg
I wanted to give an update to my Asterisk Hack Post-mortem article. By the way, I love this image of a hacker sporting a fedora in case you're wondering why I used it in both articles!

I found this interesting error in the logs:
zdump[27161]: error: Bind to port 10001 on 0.0.0.0 failed: Address already in use.


I knew zdump was a Linux command related to timezone stuff, but it shouldn't be taking a port. I found the zdump command:
[root]/var/log/bak2>ll /usr/bin/zdump
-rwxr-xr-x  1 root root 240512 Jan  6 13:36 /usr/bin/zdump


The date and time were roughly around the time of the hack. I attempted to run it (nothing to lose) by typing this command which should output various timezone information, but look at the output it gave me:
[root]/usr/bin/zdump>./zdump -v /etc/localtime
zdump: illegal option -- v
sshd version OpenSSH_5.4p1
Usage: zdump [options]
Options:
  -f file    Configuration file (default /usr/include/X11/.fonts/sshd_config)
  -d         Debugging mode (multiple -d means more debugging)
  -i         Started from inetd
  -D         Do not fork into daemon mode
  -t         Only test configuration file and keys
  -q         Quiet (no logging)
  -p port    Listen on the specified port (default: 22)
  -k seconds Regenerate server key every this many seconds (default: 3600)
  -g seconds Grace period for authentication (default: 600)
  -b bits    Size of server RSA key (default: 768 bits)
  -h file    File from which to read host key (default:

/usr/include/X11/.fonts/ssh_host_key)
  -u len     Maximum hostname length for utmp recording
  -4         Use IPv4 only
  -6         Use IPv6 only
  -o option  Process the option as if it was read from a configuration file.


It's a friggin OpenSSH process! This allows an SSH session using port 10001 instead of 22. The hacker was setting up a backdoor, but chose a port that was already taken.

Now it really gets interesting.
Looking at the message.x logs I saw this:
Jan  8 13:58:58 asterisk sshd[30940]: Failed password for root from ::ffff:204.145.81.138 port 38401 ssh2
Jan  8 13:58:58 asterisk sshd[30942]: Accepted password for PlcmSpIp from ::ffff:204.145.81.138 port 38418 ssh2


First 204.145.81.138 tried to authenticate as 'root'. After failing, its password was accepted for 'PlcmSpIp'. What the heck?

So I did a whois:
http://whatismyipaddress.com/ip/204.145.81.138

General IP Information
IP:    204.145.81.138
Decimal:    3432075658
Hostname:    welinknyc.dmarc.lga4.atlanticmetro.net
ISP:    Atlantic Metro Communications
Organization:    We Link Networks LLC
Services:    None detected
Type:    Corporate
Assignment:    Static IP

Not very useful info there, since it looks like an ISP. However, when I browse directly to the IP address:
http://204.145.81.138/

goautodial-logo.jpgI see a company name called GoAutoDial. The description says "GoAutoDial is an enterprise grade open source call center system. Scalable to hundreds of seats and can utilize VoIP, ISDN or analog trunks. GoAutoDial (formerly VicidialNOW) is an enterprise grade open source predictive dialer system. It automatically installs Vicidial, Mysql, PHP, Asterisk, VtigerCRM and other components to have a fully functional open source predictive dialer system. It has out of the box support for Sangoma and Digium telephony hardware and is scalable to hundreds of seats. ".

Well, now that's interesting. An open source Asterisk predictive dialer? They obviously know Asterisk and they obviously know all about bulk dialing. Perhaps their business model is to crack Asterisk boxes and resell the minutes? I don't want to make any accusations without any cold hard facts, so I reached out to them via their support online form. There was no phone number to call them or I would have. I gave them 24 hours to respond but they never contacted me back.

This is not an admission of guilt on their part. For all I know their support person didn't know how to deal with my request to contact me regarding the hack coming from their IP address. Even still, the log file where I saw this IP address could have been modified to "frame" GoAutoDial. Though that's mighty fishy. Perhaps one of their servers was hacked and from one of their hacked boxes they jumped onto my Asterisk box over SSH.

Still, what are the odds that a company that uses Asterisk to run their business would get hacked and then log onto my box running Asterisk? I'd venture a guess that less than 1% of all Linux boxes run Asterisk, so the odds seem pretty small to me. Still, I'll give them the benefit of the doubt and if they reach out to me I'll be glad to update this article.

Now, more about this 'PlcmSpIp' account. When I was securing /etc/passwd yesterday I saw that it was set correctly, i.e. no bash login:

PlcmSpIp:x:99:99::/tftpboot:/sbin/nologin

I also saw it as the last line in the /etc/shadow file, so it does have a password:
PlcmSpIp:$1$1oQ4Yhar$x7uCjUCfPustrRQh9EFtQ1:15301:0:99999:7:::

I remembered coming across this username somewhere, so I googled it and it mentioned it's Polycom's default username and the password isn't randomized and that the password is simply 'PlcmSpIp' . I'll have to check to see if one of my other Asterisk boxes has this same hashed password.

But even if the hacker knew the default Polycom username & password (PlcmSpIp), I'm not sure how this Polycom account was able to SSH in since it didn't have bash access.

Did some more digging and saw some security alerts on PlcmSpIp:
http://www.mail-archive.com/sipx-users@list.sipfoundry.org/msg04452.html

http://www.thirdlane.com/forum/ftp

I'm might try temporarily setting this account to allow SSH login and try and authenticate using password="PlcmSpIp". Though that just proves Polycom sets this account to an easy default password. Still doesn't explain how they were able to SSH using this account. This could be a major security flaw if indeed you can gain bash access using Polycom's default credentials.

Stay tuned for more updates...


Related Articles to 'Hacked Asterisk PBX Update'
digium-d50-phone.jpg
astricon-2011-logo.jpg
voip.jpg
chris-lyman.jpg

Featured Events