LinuxMCE Forums

General => Users => Topic started by: purps on September 27, 2011, 10:29:47 am

Title: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 27, 2011, 10:29:47 am
I recently discovered that all of my credit on my sipgate UK account has gone, and it is due to "service charges" by sipgate. Looking at an itemised bill (see attached) it would appear that a number of calls to foreign numbers have been made, none of which by me.

Firstly, does anybody know how this could have happened? And is it as a result of using LMCE with the phone line?

I wouldn't call the amount of money that has been lost "insignificant", so I am keen to get to the bottom of this.

Cheers,
Matt.

EDIT: The latest attacks were when the phone line in LMCE wasn't being used - the sipgate settings were on the phone itself and LMCE is just providing the networking. The previous set of attacks though could have been when the phone/phone line was set up within LMCE, I'm not sure.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: coley on September 27, 2011, 12:53:22 pm
Matt,
It could be a brute force attack on your Asterisk server, it has happened to a few people on here.
Check the wiki for a possible solution: http://wiki.linuxmce.org/index.php/Fail2ban_-_A_tool_against_brute_force (http://wiki.linuxmce.org/index.php/Fail2ban_-_A_tool_against_brute_force)

-Coley.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 27, 2011, 01:12:44 pm
How are these people able to do this? Do they know my sipgate password or just my phone number or what? What basic steps can I take to avoid this from happening (in addition to the link you posted, thanks for that)?
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: coley on September 27, 2011, 03:38:41 pm
Botnets are set up to scan blocks of ip addresses and then once an asterisk server is found they try to brute force the extension passwords.
There are auditing tools you can use to scan your own server, for example SIPViscious: http://code.google.com/p/sipvicious/wiki/GettingStarted (http://code.google.com/p/sipvicious/wiki/GettingStarted)

-Coley.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 27, 2011, 04:10:43 pm
It amazes me that they are able to use my sipgate account via asterisk when I can't even get the bloody thing to work myself!

Can it only have been done via asterisk? I don't have any extensions set up in asterisk, just the phone line itself is set up in LMCE web admin. At the moment my sipgate credentials are on the Gigaset, that is how we have been using the phone.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: fibres on September 27, 2011, 10:53:09 pm
Hi Purps

As far as I know lmce automatically sets up extensions for the phones on each orbiter. Therefore on a default LMCE setup there are some phone extensions which may well have defaut and therefore unsecure passwords.

If this is the case and you have set your asterisk server to connect to your trunk then they would be able to easilly connect to your lmce core asterisk as an extension and make calls through your trunk.

Fail2ban is good to stop brute force attacks, however it is not a direct replacement for good strong passwords.

I run a number of public asterisk servers including a VOIP Telecom in the UK mainly in the Business/Call Centre area and we have had no issues without using fail2ban. However I am strict about using good secure passwords for all extensions. We see regular brute force attacks onto our sip servers but have never had one get through.

There maybe should be a disclaimer on the asterisk side of LMCE to make sure all passwords are secure and the risks involved with connecting to your trunk.
Luckily you were on sipgate a prepaid service which would only allow them to use what credit you had. Had that been connected to a postpay voip provider or even with a Card directly to your home phone line the cost could have been a lot higher.

Regards
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: daballiemo on September 27, 2011, 11:09:03 pm
Another solution would be to prevent anybody but your provider to connect to Asterisks. I arranged that via my router and iptables

rgds

Han
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: fibres on September 27, 2011, 11:57:50 pm
Yes

Although make sure you allow all of your providers servers in otherwise you may have issues with incoming calls.

Some providers use multiple servers and inbound calls could come from one of a number of servers.
Also be aware that some providers use different servers for signalling and media. So you may get a call request sip message from one server at your provider but the call itself, the sound will come from a different IP!!

Regards
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 28, 2011, 10:41:59 am
Some very good advice there, thanks guys.

I realise extensions are set up automatically. One of the problems I have with my installation is that the extensions are not registering with asterisk (from looking at the freePBX main page), but the line and trunk was registered - would that be enough for them to use it? Or do they HAVE to have access to an extension?

I will of course set even stronger passwords where I can, but in the case of the SIP password supplied by sipgate.co.uk, it's only 6 characters long and made up of capital letters. I can't change it to my own password; I can only generate a new one. Should I be worried about this password specifically? Everyone is talking about passwords for the extensions, but as I said, these were not set up.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: fibres on September 28, 2011, 07:09:18 pm
Hi

As the password is random letter, even though it is only 6 characters long, there are still a lot of combinations.
I would expect sipgate to have security in place that would detect and stop brute force attacks on users accounts. I have in the past had a number of sipgate accounts without any issues.

If the line and trunk is registers then yes. I am guessing in the freePBX admin there are some extensions configured. If these have weak passwords and they managed to brute force one of these extensions then they would be able to make calls out of your registered trunks.

What extensions are you trying to register? I am guessing you are trying to get the gigaset to register to the asterisk on LMCE?

Regards
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: ladekribs on September 28, 2011, 09:59:52 pm
Hi Purps,

The same thing happened to me, the prepaid account was used by, as it seems many users, calling different countries.
I tried to figure out what kind of numbers that where called, and most of the was "demo" subscriptions for testing VOIP.

I thought that one had to open the firewall if someone external should be able to call via LinuxMCE? and in that case the
the person using my account would have to go via the provider, how can they then use my account when LinuxMCE already is
 registered with the provider?

when the sip client is registering with the provider, is the userid and password encrypted or plain text?

I asked for a new password for the account and the new one was much longer.

anyway, i asked the provider if I could see the log of IP addresses using my account, they informed me that I had to file
 a report to the police, and that the police the would then contact the provider to investigate, been waiting since July.

Regards Stefan
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 28, 2011, 10:29:15 pm
If the line and trunk is registers then yes. I am guessing in the freePBX admin there are some extensions configured. If these have weak passwords and they managed to brute force one of these extensions then they would be able to make calls out of your registered trunks.

I will reiterate, no extensions were set up in freePBX, not IP phones, nor MD softphones, nothing at all, it was literally just the line and trunk. You reckon they could still use my account even in this situation?
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: ladekribs on September 28, 2011, 10:42:30 pm
Purps,

I have looked at my freepbx log and I found that one of my extensions was used, it had a weak password ( I expected that the firewall was closed so it would not matter) learned a lesson but are there more pit falls?

You said you had just the line and trunk, is the "line" an extension? had it also a weak password?


Regards Stefan
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: fibres on September 28, 2011, 11:35:57 pm
I would guess you are refering to line and trunk as the same thing?

Does lmce not create some default extensions by default? Had you removed these?

No without an extension they shouldnt have been able to call.

Ladekribs, which log file showed this and where is it located. I am not hugely familiar with freePBX.

I would guess that sip port 5060 is open on the lmce firewall by default. As if it was blocked could cause problems with calls coming in from the provider.


Regards
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 28, 2011, 11:48:23 pm
LMCE did not create those extensions, that is a separate problem that I have been having with my installation of LMCE. Again, there were no extensions set up in freePBX.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: ladekribs on September 29, 2011, 12:02:57 am
Fibres,

loggs found at Web admin - Advanced - configuration - Phones setup - (FreePBX) - Reports
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: fibres on September 29, 2011, 12:12:04 am
That is strange then.

Not sure how they accessed your account then. Can sipgate tell you the ip address that the calls were made from?
Or at least confirm if it was from your ip or not?

Might be worth just having a quick look there purps to see if they have got in through your system.

May shed some light on it.

Regards
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: twodogs on September 29, 2011, 12:49:46 am
Purps,

Nothing to add except my condolences. Simultaneous problems with MCE, VOIP provider, and SWMBO is the trifecta of pain.

Twodogs
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 29, 2011, 06:42:11 pm
That is strange then.

Not sure how they accessed your account then. Can sipgate tell you the ip address that the calls were made from?
Or at least confirm if it was from your ip or not?

Might be worth just having a quick look there purps to see if they have got in through your system.

May shed some light on it.

Regards

Thanks, yes, I will contact sipgate and ask that question. Anything else you think I should ask whilst I am there?

Purps,

Nothing to add except my condolences. Simultaneous problems with MCE, VOIP provider, and SWMBO is the trifecta of pain.

Twodogs

Thank you Twodogs, it's not that bad, perhaps I am being a little melodramatic. We have far more important things going on at the moment. I have just accepted a new job, and we will be buying our first house together soon, so it's all go. I will certainly be getting back on the wiki tasks now that the interviews are finally over!

Cheers,
Matt.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: fibres on September 30, 2011, 01:24:44 am
I would just check the logs suggested above by ladekribs.

You should be able to see if the calls have been made through your system. If you see calls in the logs but dont understand what they mean pm me a copy and ill have a look.

Regards
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: purps on September 30, 2011, 10:32:13 am
Thank you very much for that offer fibres, I will certainly take you up on that.

Sipgate got back to me very quickly - the calls were made from 41.239.173.188, which certainly isn't my IP. Does that add up, seeing as I don't reckon I had any extensions set up?

Thanks again.

Cheers,
Matt.
Title: Re: Has my sigate UK account been hijacked because of LMCE?
Post by: fibres on September 30, 2011, 04:20:58 pm
That seems to rule out the calls being made from an unsecured extension on your system.

However, Does the freePBX admin page have a default password set and do you know if it is accessible from outside your network?

If this is the case it is possible they got your details from the admin page.

Regards