big security issue

Dear Sirs,
our extensions are all connected to a static IP (46.14.231.10­ - Switezerland)
In the past days some palestinian IP (188.161.240.182, 188.161.104.53 and maybe others) connected to the pbx and did some (actually a lot) calls trough it burning some money from our traffic provider.

Could you please explain how could it happen ?
This is a big security issue.
Looking forward to hearing from you

Kindes regards

This post has been edited 2 time(s), it was last edited by key on 31.05.2011 at 14:59.

RE: big security issue

Hi,

You mean they logged into pbxes as one of your extensions and then made some calls?

RE: big security issue

Yes, correct ! They logged to the PBX with extension let's say 301 and they did some calls to unknown palestinian, saudi arabian and Ascension numbers.

This post has been edited 1 time(s), it was last edited by key on 31.05.2011 at 15:40.

RE: big security issue

It looks like they registered as your extension 101 by stealing your password somehow, either the password of your account or the extension's. We noticed that some of your extensions don't have a password set at all.

RE: big security issue

They registered to extension 101 and also to extension 301 and 307.
The only extension witthout password is the 251 one which is connected to an extension belonging to another PBX.
Also, we do not have a general outboud route and extension 251 does not have an outbound route.

Another thing, below you will find a list of intrusions from your IP to our firewall:


[fwbaa-01][INFO-850] Intrusion Prevention Alert.eml
Oggetto:
[fwbaa-01][INFO-850] Intrusion Prevention Alert
Mittente:
"Firewall Notification System" <do-not-reply@fw-notify.net>
Data:
Tue, 31 May 2011 09:19:02 +0200
A:
<alertas@keycto.ch>

Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: VOIP-SIP inbound 401 unauthorized message
Details........: http://www.snort.org/search/sid/11969?r=1
Time...........: 2011:05:31-09:18:45
Packet dropped.: no
Priority.......: 3 (low)
Classification.: Generic Protocol Command Decode
IP protocol....: 17 (UDP)

Source IP address: 188.40.65.148 (showm.ee)
- http://www.dnsstuff.com/tools/ptr.ch?ip=188.40.65.148
- http://www.ripe.net/perl/whois?query=188.40.65.148
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=188.40.65.148
- http://cgi.apnic.net/apnic-bin/whois.pl?search=188.40.65.148
Source port: 5060 (sip)
Destination IP address: 192.168.200.150
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.200.150
- http://www.ripe.net/perl/whois?query=192.168.200.150
- http://ws.arin.net/cgi-bin/whois.pl?quer...192.168.200.150
- http://cgi.apnic.net/apnic-bin/whois.pl?...192.168.200.150
Destination port: 5060 (sip)


The send limit for this notification has been reached. No further
notifications of this type will be sent during this period.

-- System Uptime : 80 days 23 hours 3 minutes System Load : 0.25 System Version : Astaro Security Gateway Appliance 7.510 Please refer to the manual for detailed instructions. ----- No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1375 / Virus Database: 1509/3669 - Release Date: 05/30/11


[fwbaa-01][INFO-850] Intrusion Prevention Alert.eml
Oggetto:
[fwbaa-01][INFO-850] Intrusion Prevention Alert
Mittente:
"Firewall Notification System" <do-not-reply@fw-notify.net>
Data:
Tue, 31 May 2011 09:19:02 +0200
A:
<alertas@keycto.ch>

Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: VOIP-SIP outbound 100 Trying message
Details........: http://www.snort.org/search/sid/12074?r=1
Time...........: 2011:05:31-09:18:45
Packet dropped.: no
Priority.......: 3 (low)
Classification.: Generic Protocol Command Decode
IP protocol....: 17 (UDP)

Source IP address: 188.40.65.148 (showm.ee)
- http://www.dnsstuff.com/tools/ptr.ch?ip=188.40.65.148
- http://www.ripe.net/perl/whois?query=188.40.65.148
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=188.40.65.148
- http://cgi.apnic.net/apnic-bin/whois.pl?search=188.40.65.148
Source port: 5060 (sip)
Destination IP address: 192.168.200.150
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.200.150
- http://www.ripe.net/perl/whois?query=192.168.200.150
- http://ws.arin.net/cgi-bin/whois.pl?quer...192.168.200.150
- http://cgi.apnic.net/apnic-bin/whois.pl?...192.168.200.150
Destination port: 5060 (sip)


-- System Uptime : 80 days 23 hours 3 minutes System Load : 0.25 System Version : Astaro Security Gateway Appliance 7.510 Please refer to the manual for detailed instructions. ----- No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1375 / Virus Database: 1509/3669 - Release Date: 05/30/11


[fwbaa-01][INFO-850] Intrusion Prevention Alert.eml
Oggetto:
[fwbaa-01][INFO-850] Intrusion Prevention Alert
Mittente:
"Firewall Notification System" <do-not-reply@fw-notify.net>
Data:
Tue, 31 May 2011 09:19:01 +0200
A:
<alertas@keycto.ch>

Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: VOIP-SIP inbound 100 Trying message
Details........: http://www.snort.org/search/sid/12073?r=1
Time...........: 2011:05:31-09:18:45
Packet dropped.: no
Priority.......: 3 (low)
Classification.: Generic Protocol Command Decode
IP protocol....: 17 (UDP)

Source IP address: 188.40.65.148 (showm.ee)
- http://www.dnsstuff.com/tools/ptr.ch?ip=188.40.65.148
- http://www.ripe.net/perl/whois?query=188.40.65.148
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=188.40.65.148
- http://cgi.apnic.net/apnic-bin/whois.pl?search=188.40.65.148
Source port: 5060 (sip)
Destination IP address: 192.168.200.150
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.200.150
- http://www.ripe.net/perl/whois?query=192.168.200.150
- http://ws.arin.net/cgi-bin/whois.pl?quer...192.168.200.150
- http://cgi.apnic.net/apnic-bin/whois.pl?...192.168.200.150
Destination port: 5060 (sip)


-- System Uptime : 80 days 23 hours 3 minutes System Load : 0.25 System Version : Astaro Security Gateway Appliance 7.510 Please refer to the manual for detailed instructions.

Could you please give us some explanation ?
Also, could you please explain us what do you mean with "by stealing your password somehow" ?
As far as I know, the only way to steal us the password (and the user name) is trough your system. I am starting to think that you have some big security problems and somebody find out some holes.
Could you please check and revert to us as soon as possible ?

Kindest regards

RE: big security issue

I'd suggest you choose better passwords for your extensions, and as iptel have mentioned some of them don't even have a password

regarding the intrusion detection, they look like valid sip messages to me. Presumably you're connecting to pbxes from wherever those messages are coming from?

RE: big security issue

@key
We are still looking into it, but you should change passwords of all of your SIP extensions as soon as possible.