[Freeswitch-users] FS account got hacked **urgent**

Shaun Stokes shaun.stokes at itec-support.co.uk
Wed Mar 1 14:15:42 MSK 2017


It's possible a device connected to your platform was compromised or the attacker conducted a man-in-the-middle-attacker, either way they've gained the login credentials.

You should consider using IP blacklists and an IPS Firewall, we use both and the ones that sneak through the blacklist are picked up by our IPS and reported to abuse@ but the problem is never ending.

The attackers typically route calls to high cost numbers used for fraud, you should report this the carriers that hold the numbers dialled as fraud.
https://www.textmagic.com/free-tools/carrier-lookup

Other recommendations:
- Limit to 2 or 3 channels per account; https://wiki.freeswitch.org/wiki/Limit
- Use a script to regularly monitor your CDR files and disable accounts which meet certain criteria (i.e. concurrent calls to the same destination, credit limit)

-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Brian :
Sent: 01 March 2017 07:39
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Subject: Re: [Freeswitch-users] FS account got hacked **urgent**

Same as - all coming from 62.210.245.31 - reported to abuse@ but meh Not just a freeswitch thing obviously - there must be some vulnerability these wasters are trying to gain profit from..

They are actually spoofing a credible UA for once.


2017-02-28 19:38:23 +0000 : 62.210.245.31:41254 -> 8.8.28.60:5060 INVITE sip:001648825408632 at 8.8.28.60 SIP/2.0
Via: SIP/2.0/UDP
62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
Max-Forwards: 70
Contact: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254>;+sip.instance="<urn:uuid:546752fe-1c36-4770-9db8-1db98b72700f>"
To: <sip:001648825408632 at 8.8.28.60>
From: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 8.8.28.60>;tag=DLMPQMRN
Call-ID: SWZYYRWNLTZCVZRAYLXRXNWU
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO
Content-Type: application/sdp
Supported: replaces
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow-Events: hold, talk, conference
Content-Length: 0

Brian



On Wed, Mar 1, 2017 at 6:55 AM, jay binks <jaybinks at gmail.com> wrote:
> yea man, Im seeing the exact same thing.
> from the same IP actually.
>
>
> INVITE sip:0008148825408632 at 180.214.68.115 SIP/2.0
>
> Via: SIP/2.0/UDP
> 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
>
> Max-Forwards: 70
>
> Contact:
> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254>;+sip.instance="<urn:uuid:f6d7a08c-d1d0-4bb1-9f09-01d032f62c38>"
>
> To: <sip:0008148825408632 at 180.214.68.115>
>
> From:
> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 180.214.68.115>;tag
> =LNDMJRRH
>
> Call-ID: XXINXNMLKORRQSRCIOPQFLZM
>
> CSeq: 1 INVITE
>
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> REGISTER, SUBSCRIBE, INFO
>
> Content-Type: application/sdp
>
> Supported: replaces
>
> User-Agent: Cisco-SIPGateway/IOS-12.x
>
> Allow-Events: hold, talk, conference
>
> Content-Length: 0
>
>
>
>
>
>
> On 1 March 2017 at 09:59, Brian West <brian at freeswitch.org> wrote:
>>
>> You can calm down, Do you have any proof you've been hacked?  This
>> appears to be an SQL Injection attempt, I started seeing this yesterday!
>>
>> Here is what I had in my logs and what the packet has in it:
>>
>> 2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:687
>> a7c86b62-4dbf-4609-8bc2-3b6a38e2686a
>> sofia/internal/‘hi'or‘x’='x'@190.10
>> 2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE]
>> switch_core_state_machine.c:690 Hangup
>> sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_NEW]
>> [WRONG_CALL_STATE]
>> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730
>> Session 2
>> (sofia/internal/‘hi'or‘x’='x'@190.102.98.246) Ended
>> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close
>> Channel sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_DESTROY]
>>
>>
>>
>>    INVITE sip:1259360048825408632 at 190.102.98.246 SIP/2.0
>>    Via: SIP/2.0/UDP
>> 62.210.245.31:41254;branch=z9hG4bK-524287-1---321bda12cf15b137;rport
>>    Max-Forwards: 70
>>    Contact:
>> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.245.31:41254>;+sip.instance="<urn:uuid:4c5f3dc8-9f8a-4470-9b43-bd04fcd1634d>"
>>    To: <sip:1259360048825408632 at 190.102.98.246>
>>    From:
>> <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 190.102.98.246>;tag=UBAWADPX
>>    Call-ID: OIERRISLMMBKZCIIUGWESXQM
>>    CSeq: 1 INVITE
>>    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> REGISTER, SUBSCRIBE, INFO
>>    Content-Type: application/sdp
>>    Supported: replaces
>>    User-Agent: Cisco-SIPGateway/IOS-12.x
>>    Allow-Events: hold, talk, conference
>>    Content-Length: 0
>>
>>
>> I would like to dive deeper and see if anyone else has seen this, I
>> had also seen it today in the FreeSWITCH hipchat channel.
>>
>> /b
>>
>>
>>
>> On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <siju.irs at gmail.com> wrote:
>>>
>>> Hi team ,
>>>
>>> Please help on below query
>>>
>>> Sent from my iPhone
>>>
>>> > On 28-Feb-2017, at 3:59 PM, Siju Nair <siju.irs at gmail.com> wrote:
>>> >
>>> > Hi Team
>>> >
>>> > my account got hacked and attacked using my DID number as caller
>>> > id and making calls via my FS server.
>>> >
>>> > in logs i could notice this sofia/external/'hi'or'x'='x' ... what
>>> > does this mean and how can they set my did as caller id and make
>>> > calls... Urgent help needed.
>>> >
>>> > Thanks,
>>> > Siju Nair
>>>
>>> ____________________________________________________________________
>>> _____ Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-u
>>> sers
>>> http://www.freeswitch.org
>>
>>
>>
>>
>> --
>>
>> Brian West
>> brian at freeswitch.org
>>
>> Twitter: @FreeSWITCH , @briankwest
>>
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>>
>> Allison prompts for FreeSWITCH:
>>
>> https://www.gofundme.com/allison-prompts-for-freeswitch
>>
>> Wish to schedule a meeting?
>>
>> http://app.timebridge.com/#/meet/freeswitch
>>
>> Got Bugs? Report them here! | Reddit: /r/freeswitch
>>
>> T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
>> Skype:briankwest
>>
>>
>> _____________________________________________________________________
>> ____ Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-us
>> ers
>> http://www.freeswitch.org
>
>
>
>
> --
> Sincerely
>
> Jay
>
> ______________________________________________________________________
> ___ Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
> rs
> http://www.freeswitch.org

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

______________________________________________________________________
This message has been checked for all known viruses by MessageLabs Virus Scanning Service.
______________________________________________________________________
[http://www.itec-support.co.uk/wp-content/uploads/2016/07/email_logo.jpg]
Shaun Stokes - Infrastructure Analyst

T :     01453 700713
E :     shaun.stokes at itec-support.co.uk
W :     www.itec-support.co.uk

Registered Address :- ITEC Support, Suite 2 Prospect House, Bath Road, Stroud, Gloucestershire GL5 3QF
Company No. 06908001

CONFIDENTIALITY NOTICE
This communication and the information it contains are intended for the person or organisation to which it is addressed. Its contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient, please contact us immediately.
The contents of any attachments in this e-mail may contain software viruses, which could damage your own computer system. While ITEC Support has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checking procedure before opening any attachment.

______________________________________________________________________
This message has been checked for all known viruses by  MessageLabs Virus Scanning Service.
______________________________________________________________________


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list