[Freeswitch-users] FS account got hacked **urgent**
Steven Ayre
steveayre at gmail.com
Thu Mar 2 23:36:23 MSK 2017
Or given the content of the string... bypass a CLI whitelist?
On 2 March 2017 at 20:34, Steven Ayre <steveayre at gmail.com> wrote:
> It's possible it's an attack against the CDR database rather than the SIP
> one http://www.securityfocus.com/bid/8599/discuss
>
> On 1 March 2017 at 06:36, Michael Jerris <mike at jerris.com> wrote:
>
>> i don't think it will... we have pretty robust sql injection protection
>> in the sip module. If anyone finds a hole in that please file a bug but in
>> doubtful there will be one.
>>
>> On Tue, Feb 28, 2017 at 9:41 PM David Villasmil <
>> david.villasmil.work at gmail.com> wrote:
>>
>>> I can try this tomorrow
>>> On Wed, Mar 1, 2017 at 1:06 AM Brian West <brian at freeswitch.org> wrote:
>>>
>>> I haven't seen it actually accomplish anything against my instances of
>>> FreeSWITCH, I just googled the string and its in the SQL Injection list,
>>> but what I'm wonder is if you're using PGSQL or MYSQL if that invite I put
>>> in my last message causes any issues.
>>>
>>> /b
>>>
>>>
>>> On Tue, Feb 28, 2017 at 6:01 PM, Russell Treleaven <
>>> rtreleaven at bunnykick.ca> wrote:
>>>
>>> I've been seeing for approximately a week.
>>>
>>> On Feb 28, 2017 6:59 PM, "Brian West" <brian at freeswitch.org> wrote:
>>>
>>> You can calm down, Do you have any proof you've been hacked? This
>>> appears to be an SQL Injection attempt, I started seeing this yesterday!
>>>
>>> Here is what I had in my logs and what the packet has in it:
>>>
>>> 2017-02-27 18:40:20.451831 [WARNING] switch_core_state_machine.c:687
>>> a7c86b62-4dbf-4609-8bc2-3b6a38e2686a sofia/internal/‘hi'or‘x’='x'@190.10
>>> 2.98.246 Abandoned2017-02-27 18:40:20.451831 [NOTICE]
>>> switch_core_state_machine.c:690 Hangup sofia/internal/‘hi'or‘x’='x'@1
>>> 90.102.98.246 [CS_NEW] [WRONG_CALL_STATE]
>>> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1730 Session 2
>>> (sofia/internal/‘hi'or‘x’='x'@190.102.98.246) Ended
>>> 2017-02-27 18:40:20.451831 [NOTICE] switch_core_session.c:1734 Close
>>> Channel sofia/internal/‘hi'or‘x’='x'@190.102.98.246 [CS_DESTROY]
>>>
>>>
>>>
>>> INVITE sip:1259360048825408632 at 190.102.98.246 SIP/2.0
>>> Via: SIP/2.0/UDP 62.210.245.31:41254;branch=z9h
>>> G4bK-524287-1---321bda12cf15b137;rport
>>> Max-Forwards: 70
>>> Contact: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 62.210.24
>>> 5.31:41254>;+sip.instance="<urn:uuid:4c5f3dc8-9f8a-4470-9b43
>>> -bd04fcd1634d>"
>>> To: <sip:1259360048825408632 at 190.102.98.246>
>>> From: <sip:%e2%80%98hi%27or%e2%80%98x%e2%80%99%3d%27x%27 at 190.102.
>>> 98.246>;tag=UBAWADPX
>>> Call-ID: OIERRISLMMBKZCIIUGWESXQM
>>> CSeq: 1 INVITE
>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>> REGISTER, SUBSCRIBE, INFO
>>> Content-Type: application/sdp
>>> Supported: replaces
>>> User-Agent: Cisco-SIPGateway/IOS-12.x
>>> Allow-Events: hold, talk, conference
>>> Content-Length: 0
>>>
>>>
>>> I would like to dive deeper and see if anyone else has seen this, I had
>>> also seen it today in the FreeSWITCH hipchat channel.
>>>
>>> /b
>>>
>>>
>>>
>>> On Tue, Feb 28, 2017 at 2:38 PM, Siju Nair <siju.irs at gmail.com> wrote:
>>>
>>> Hi team ,
>>>
>>> Please help on below query
>>>
>>> Sent from my iPhone
>>>
>>> > On 28-Feb-2017, at 3:59 PM, Siju Nair <siju.irs at gmail.com> wrote:
>>> >
>>> > Hi Team
>>> >
>>> > my account got hacked and attacked using my DID number as caller id
>>> and making calls via my FS server.
>>> >
>>> > in logs i could notice this sofia/external/'hi'or'x'='x' ... what does
>>> this mean and how can they set my did as caller id and make calls... Urgent
>>> help needed.
>>> >
>>> > Thanks,
>>> > Siju Nair
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>>
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> Allison prompts for FreeSWITCH:
>>>
>>> *https://www.gofundme.com/allison-prompts-for-freeswitch*
>>> <https://www.gofundme.com/allison-prompts-for-freeswitch>
>>>
>>> Wish to schedule a meeting?
>>>
>>> http://app.timebridge.com/#/meet/freeswitch
>>>
>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>
>>> *T:*+19184209001 <(918)%20420-9001> | *F:*+19184209002
>>> <(918)%20420-9002> | *M:*+1918424WEST (9378)
>>> *Skype:*briankwest
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>>
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> Allison prompts for FreeSWITCH:
>>>
>>> *https://www.gofundme.com/allison-prompts-for-freeswitch*
>>> <https://www.gofundme.com/allison-prompts-for-freeswitch>
>>>
>>> Wish to schedule a meeting?
>>>
>>> http://app.timebridge.com/#/meet/freeswitch
>>>
>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>
>>> *T:*+19184209001 <(918)%20420-9001> | *F:*+19184209002
>>> <(918)%20420-9002> | *M:*+1918424WEST (9378)
>>> *Skype:*briankwest
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170302/4c1c3e20/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list