I wanted to give an update to my Asterisk Hack Post-mortem article. By the way, I love this image of a hacker sporting a fedora in case you're wondering why I used it in both articles!
I found this interesting error in the logs:
zdump: error: Bind to port 10001 on 0.0.0.0 failed: Address already in use.
I knew zdump was a Linux command related to timezone stuff, but it shouldn't be taking a port. I found the zdump command:
-rwxr-xr-x 1 root root 240512 Jan 6 13:36 /usr/bin/zdump
The date and time were roughly around the time of the hack. I attempted to run it (nothing to lose) by typing this command which should output various timezone information, but look at the output it gave me:
[root]/usr/bin/zdump>./zdump -v /etc/localtime
zdump: illegal option -- v
sshd version OpenSSH_5.4p1
Usage: zdump [options]
-f file Configuration file (default /usr/include/X11/.fonts/sshd_config)
-d Debugging mode (multiple -d means more debugging)
-i Started from inetd
-D Do not fork into daemon mode
-t Only test configuration file and keys
-q Quiet (no logging)
-p port Listen on the specified port (default: 22)
-k seconds Regenerate server key every this many seconds (default: 3600)
-g seconds Grace period for authentication (default: 600)
-b bits Size of server RSA key (default: 768 bits)
-h file File from which to read host key (default:
-u len Maximum hostname length for utmp recording
-4 Use IPv4 only
-6 Use IPv6 only
-o option Process the option as if it was read from a configuration file.
It's a friggin OpenSSH process! This allows an SSH session using port 10001 instead of 22. The hacker was setting up a backdoor, but chose a port that was already taken.
Now it really gets interesting.
Looking at the message.x logs I saw this:
Jan 8 13:58:58 asterisk sshd: Failed password for root from ::ffff:188.8.131.52 port 38401 ssh2
Jan 8 13:58:58 asterisk sshd: Accepted password for PlcmSpIp from ::ffff:184.108.40.206 port 38418 ssh2
First 220.127.116.11 tried to authenticate as 'root'. After failing, its password was accepted for 'PlcmSpIp'. What the heck?
So I did a whois:
General IP Information
ISP: Atlantic Metro Communications
Organization: We Link Networks LLC
Services: None detected
Assignment: Static IP
Not very useful info there, since it looks like an ISP. However, when I browse directly to the IP address:
I see a company name called GoAutoDial. The description says "GoAutoDial is an enterprise grade open source call center system. Scalable to hundreds of seats and can utilize VoIP, ISDN or analog trunks. GoAutoDial (formerly VicidialNOW) is an enterprise grade open source predictive dialer system. It automatically installs Vicidial, Mysql, PHP, Asterisk, VtigerCRM and other components to have a fully functional open source predictive dialer system. It has out of the box support for Sangoma and Digium telephony hardware and is scalable to hundreds of seats. ".
Well, now that's interesting. An open source Asterisk predictive dialer? They obviously know Asterisk and they obviously know all about bulk dialing. Perhaps their business model is to crack Asterisk boxes and resell the minutes? I don't want to make any accusations without any cold hard facts, so I reached out to them via their support online form. There was no phone number to call them or I would have. I gave them 24 hours to respond but they never contacted me back.
This is not an admission of guilt on their part. For all I know their support person didn't know how to deal with my request to contact me regarding the hack coming from their IP address. Even still, the log file where I saw this IP address could have been modified to "frame" GoAutoDial. Though that's mighty fishy. Perhaps one of their servers was hacked and from one of their hacked boxes they jumped onto my Asterisk box over SSH.
Still, what are the odds that a company that uses Asterisk to run their business would get hacked and then log onto my box running Asterisk? I'd venture a guess that less than 1% of all Linux boxes run Asterisk, so the odds seem pretty small to me. Still, I'll give them the benefit of the doubt and if they reach out to me I'll be glad to update this article.
Now, more about this 'PlcmSpIp' account. When I was securing /etc/passwd yesterday I saw that it was set correctly, i.e. no bash login:
I also saw it as the last line in the /etc/shadow file, so it does have a password:
I remembered coming across this username somewhere, so I googled it and it mentioned it's Polycom's default username and the password isn't randomized and that the password is simply 'PlcmSpIp' . I'll have to check to see if one of my other Asterisk boxes has this same hashed password.
But even if the hacker knew the default Polycom username & password (PlcmSpIp), I'm not sure how this Polycom account was able to SSH in since it didn't have bash access.
Did some more digging and saw some security alerts on PlcmSpIp:
I'm might try temporarily setting this account to allow SSH login and try and authenticate using password="PlcmSpIp". Though that just proves Polycom sets this account to an easy default password. Still doesn't explain how they were able to SSH using this account. This could be a major security flaw if indeed you can gain bash access using Polycom's default credentials.
Stay tuned for more updates...