Home » Forums » Community Edition » Help

Severe security warning - Extensions with matching secret

kerryg
Posts: 6790
 Member Since:
2006-05-31
Submitted by kerryg on Mon, 10/06/2008 - 11:25am.

There are some new scripts out in the wild that are attacking Asterisk-based systems. These scripts attempt to authenticate to your SIP extensions. If you have configured your extensions with the secret being the same as the extension number and you have SIP or IAX2 exposed to the internet, then your system is vulnerable.

What happens is that the scripts connect and find extensions that they can log in as, then calls start getting made through your system. This can seriously rack up your phone charges.

Although we have not seen this with IAX2 extensions, its just a matter of time before the hackers start going after that as well.

It is mandatory that everyone go through their extensions immediately and make sure you change your secrets from being the same as the extensions to preferably some strong password.

‹ Delay in Audio while picking up calls Cheap fanless, non-moving parts trixbox server. What do you think about these specs? ›
--

Kerry Garrison
http://www.VoipStore.com - http://3cxbook.com
(888) VOIPSTORE - (888) 864-7786


&nbsp

bubbapcguy
Posts: 3774
 Member Since:
2006-06-02
testing
Mon, 10/06/2008 - 3:57pm

If you want to test your box for holes use
http://sipvicious.org/blog/


&nbsp

gdiener
Posts: 35
 Member Since:
2007-02-02
trixbox Pro Softphones Password
Mon, 10/06/2008 - 5:44pm

I noticed that when I set up softphones in trixbox pro, it automatically puts the extension number as the password. Is there anyway to change the password for these softphones in trixbox Pro?

Grant

--

GD Tech
www.gdtech.ca
FtOCC


&nbsp

boeingpilot
Posts: 85
 Member Since:
2008-01-24
Don't say it can't happen to you
Mon, 02/09/2009 - 10:09am

On our testbed system we had one extension that had the secret as the extension (was a temporary trial extension we never deleted). Thankfully my inbound caller ID number was also my followme. After about a dozen 'hacked' calls people were calling me back. Scared the $%^&*( out of me.

Moral of the story..... watch the secrets for extensions that are exposed to the outside world. Hope this helps someone out.


&nbsp

cmbtrok
Posts: 22
 Member Since:
2008-09-03
bulk update
Thu, 03/05/2009 - 5:26pm

Does someone out there have a script that can bulk-update the pwd on the tb extensions ?

Thanks,


&nbsp

aujag03
Posts: 40
 Member Since:
2007-07-17
This happened to me.
Tue, 06/01/2010 - 4:32pm

Everyone,

I sort of fell into the role of IT guy at our small company. Though it took me months to get a grasp on what I was doing, I have been running our Trixbox phone system for a few years. Today, I discovered that someone was making calls through our system phishing for credit card information. I changed all our secrets in the files [mac-address]reg.cfg to much stronger passwords. Is this all I need to change?

Thanks,
JamesG


&nbsp

Flight_Risk
Posts: 3
 Member Since:
2010-05-24
I think you'll need to
Fri, 06/04/2010 - 10:30am

I think you'll need to change the secrets on the phones themselves otherwise when they try to renew their registration they'll stop working because the secret is different.


&nbsp

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.