I've been hacked!!!

abefroman's picture
Posted February 14th, 2012 by abefroman (tadpole)

I've been hacked!!!

How was this guy able to by pass the password authentication?

# cat /etc/asterisk/freepbxdistro-version
1.8.2.0-2

Apache log:
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:08 -0600] "GET / HTTP/1.0" 200 2559
"http://localhost/index.php?file=b69.100x.txt&find=pbx" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] "GET /admin/images/box-left.jpg HTTP/1.0" 200 2576
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] "GET /admin/images/operator-panel.png HTTP/1.0" 200 11055
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] "GET /admin/images/header-bg-right.jpg HTTP/1.0" 200 19400
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] "GET /admin/images/sys-admin.png HTTP/1.0" 200 14271
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] "GET /admin/images/header-bg-left.jpg HTTP/1.0" 200 26105
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:09 -0600] "GET /admin/images/user-control.png HTTP/1.0" 200 13361
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] "GET /admin/images/support.png HTTP/1.0" 200 9550
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] "GET /admin/images/box-right.jpg HTTP/1.0" 200 2554
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] "GET /admin/images/header-tile.jpg HTTP/1.0" 200 452
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:10 -0600] "GET /admin/images/header-bg-tile.jpg HTTP/1.0" 200 396
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:11:11 -0600] "GET /admin/images/box-tile.jpg HTTP/1.0" 200 365
"http://xx.xx.xx.xx/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] "GET /admin/common/script.js.php?load_version=2.9.0.7 HTTP/1.0" 200
1111 "http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] "GET /admin/assets/js/jquery.cookie.js HTTP/1.0" 200 4247
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] "GET /admin/common/mainstyle.css?load_version=2.9.0.7 HTTP/1.0" 200
15911 "http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] "GET /admin/assets/js/script.legacy.js HTTP/1.0" 200 19594
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:21 -0600] "GET /admin/assets/js/jquery.dimensions.js HTTP/1.0" 200 20547
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:21 -0600] "GET /admin/assets/js/jquery.toggleval.3.0.js HTTP/1.0" 200 3496
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] "GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.0" 200 78696
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:22 -0600] "GET /admin/assets/js/interface.dim.js HTTP/1.0" 200 3761
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:22 -0600] "GET /admin/assets/js/tabber-minimized.js HTTP/1.0" 200 4904
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:22 -0600] "GET /admin/images/freepbx_large.png?load_version=2.9.0.7 HTTP/1.0"
200 7590 "http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:20 -0600] "GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.0" 200 198688
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:23 -0600] "GET /admin/images/logo.png?load_version=2.9.0.7 HTTP/1.0" 200 5699
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:23 -0600] "GET /admin/images/favicon.ico HTTP/1.0" 200 318 "-" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:27 -0600] "GET /admin/images/header-back.png HTTP/1.0" 200 339
"http://xx.xx.xx.xx/admin/common/mainstyle.css?load_version=2.9.0.7" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:27 -0600] "GET /admin/images/tab.png HTTP/1.0" 200 1431
"http://xx.xx.xx.xx/admin/common/mainstyle.css?load_version=2.9.0.7" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:12:27 -0600] "GET /admin/images/tab-first-current.png HTTP/1.0" 200 2639
"http://xx.xx.xx.xx/admin/common/mainstyle.css?load_version=2.9.0.7" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] "GET /admin/modules/ HTTP/1.0" 200 15000 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] "GET /icons/back.gif HTTP/1.0" 200 216
"http://xx.xx.xx.xx/admin/modules/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] "GET /icons/blank.gif HTTP/1.0" 200 148
"http://xx.xx.xx.xx/admin/modules/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] "GET /icons/bomb.gif HTTP/1.0" 200 308
"http://xx.xx.xx.xx/admin/modules/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] "GET /icons/folder.gif HTTP/1.0" 200 225
"http://xx.xx.xx.xx/admin/modules/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:06 -0600] "GET /icons/script.gif HTTP/1.0" 200 242
"http://xx.xx.xx.xx/admin/modules/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:14 -0600] "GET /admin/modules/framework/ HTTP/1.0" 200 2558
"http://xx.xx.xx.xx/admin/modules/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:15 -0600] "GET /icons/text.gif HTTP/1.0" 200 229
"http://xx.xx.xx.xx/admin/modules/framework/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:17 -0600] "GET /admin/modules/framework/bin/ HTTP/1.0" 200 2939
"http://xx.xx.xx.xx/admin/modules/framework/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:18 -0600] "GET /icons/unknown.gif HTTP/1.0" 200 245
"http://xx.xx.xx.xx/admin/modules/framework/bin/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:13:19 -0600] "GET /admin/modules/framework/bin/gen_amp_conf.php HTTP/1.0" 200 6539
"http://xx.xx.xx.xx/admin/modules/framework/bin/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - maint [12/Feb/2012:17:14:37 -0600] "GET /admin/config.php HTTP/1.0" 200 27455 "-" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - maint [12/Feb/2012:17:14:39 -0600] "GET
/admin/config.php?handler=file&module=dashboard&file=dashboard.css&load_version=2.9.0.4 HTTP/1.0" 200 2463
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:39 -0600] "GET /admin/common/mstyle_autogen_1314232943.css?load_version=2.9.0.7
HTTP/1.0" 200 11603 "http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] "GET /admin/images/notify_update.png HTTP/1.0" 200 619
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] "GET /admin/images/notify_delete.png HTTP/1.0" 200 715
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] "GET /admin/images/notify_warning.png HTTP/1.0" 200 789
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] "GET /admin/images/cancel.png HTTP/1.0" 200 815
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:40 -0600] "GET /admin/images/notify_notice.png HTTP/1.0" 200 778
"http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:39 -0600] "GET /admin/common/libfreepbx.javascripts.js?load_version=2.9.0.7
HTTP/1.0" 200 302944 "http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:41 -0600] "GET /admin/images/freepbx_small.png?load_version=2.9.0.7 HTTP/1.0"
200 4844 "http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
httpd/access_log:83.244.52.186 - - [12/Feb/2012:17:14:42 -0600] "GET /admin/images/shadow-side-background.png?load_version=2.9.0.7
HTTP/1.0" 200 198 "http://xx.xx.xx.xx/admin/config.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"


__________________


‹ Callback_module with Trixbox 2.8 and PRI card on the PBX CallerID Superfecta doesnt pull up anything? ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

The more pressing question

depster's picture
On February 14th, 2012 depster (tadpole) said:

The more pressing question should be: how did he get to the box?


It has a static IP on the

abefroman's picture
On February 14th, 2012 abefroman (tadpole) said:

It has a static IP on the public interent.


Well there is your problem.

alan_mousty's picture
On February 14th, 2012 alan_mousty (tadpole) said:

Well there is your problem. Did you fully open the system up to the Internet? If you did you would be opening yourself up for lots of trouble.


Uh, yes, why would that be a

abefroman's picture
On February 14th, 2012 abefroman (tadpole) said:

Uh, yes, why would that be a problem if the web interface is password protected?


If someone truly hacked your

alan_mousty's picture
On February 14th, 2012 alan_mousty (tadpole) said:

If someone truly hacked your system them must have guessed your password.

How do you know you were hacked?

I am sure many other members will chime in here to tell you how bad of an idea it is to open the web interface of your system up to the Internet. There is no reason to expose the web interface of your PBX to the Internet regardless of passwords.


It was a difficult password

abefroman's picture
On February 14th, 2012 abefroman (tadpole) said:

It was a difficult password which I changed fairly recently, and I'm not seeing any invalid login attempts.

Are there any known exploits with the web interface?


Do you absolutely need to

alan_mousty's picture
On February 14th, 2012 alan_mousty (tadpole) said:

Do you absolutely need to have the web interface exposed to the Internet. Your best bet is not to open the GUI to the Internet.

what ports do you have forwarded from the Internet to your phone server?


I suppose I can keep it off

abefroman's picture
On February 14th, 2012 abefroman (tadpole) said:

I suppose I can keep it off and then just turn it on when I need it.

The pbx server is in a datacenter because I have a number of multiple offices that connect to it.

Is there a better way to do this? Like a vpn or ipsec or something?


You have a server in a

SkykingOH's picture
On February 15th, 2012 SkykingOH (Leap Frog) said:

You have a server in a datacenter without any security for your other applications?

Access lists and VPN's are your friend.


This has been reported

obelisk's picture
On February 14th, 2012 obelisk (tadpole) said:

This has been reported already:

http://www.freepbx.org/forum/freepbx/development/security-gen-amp-conf-p...

Yeah, it is lame beyond belief that in 2012 people make such stupid mistakes.


__________________

SIP: Magic incantations - http://forums.digium.com/viewtopic.php?t=78543


@obelisk Agreed, I can't

abefroman's picture
On February 14th, 2012 abefroman (tadpole) said:

@obelisk

Agreed, I can't believe some programmers these days.


I have a better idea. Why

SkykingOH's picture
On February 15th, 2012 SkykingOH (Leap Frog) said:

I have a better idea. Why don't the users put together a security and functional test plan. Run the test plan against each beta and report back to the developers. If everyone concurs no release will go from release candidate to released with the test plan executed and "sign off" from the testing group.

Would you rather have the developers work on features or spend time running these test plans? The more help they (the developers) get the more features can be completed.

Everybody wins.


@SkykingOH I'd be open to

abefroman's picture
On February 15th, 2012 abefroman (tadpole) said:

@SkykingOH I'd be open to being part of that, how do I get involved though?

We'd need some way to track who's working on what, and also what code is new since the last release. Plus it might be a good idea to go through the existing code one more time, if that hasn't be done already.


We are insanely busy and

SkykingOH's picture
On February 15th, 2012 SkykingOH (Leap Frog) said:

We are insanely busy and open to anything that makes sense.

1 - Design the process
2 - Socialize it within the community
3 - Get buy in from the community
4 - Recruit assistants
5 - Manager team to the process

This is an "open" project. Nobody has to approve anything. Leadership fills the vacuum.


The test should be

obelisk's picture
On February 15th, 2012 obelisk (tadpole) said:

The tests should be automated. No humans need to be involved. Humans are generally unreliable and suck in making decisions ;-)

BTW: It looks like the vulnerability was introduced on 01/06/11

http://www.freepbx.org/trac/changeset/10807

Everything released in 2011 is probably vulnerable. Did FreePBX people make any effort to reach distro builders to make sure they push the updates ? I also did not see any CVE entry for this. I think there are going to be lots of hacked systems in 2012 because of this.


__________________

SIP: Magic incantations - http://forums.digium.com/viewtopic.php?t=78543


You guys make it sound like

SkykingOH's picture
On February 15th, 2012 SkykingOH (Leap Frog) said:

You guys make it sound like this is some sort of an obligation (to whom I am not sure). This is a community project.

Ward is very active over at PBXiaf and certainly has a direct line to the Kremlin.

I will some up my feelings, and this is direct at the rabble rouser'ss who know who they are. Instead of stirring up sh*t why don't you dedicate a significant portion of your time to the project, travel around the country at your own expense evangelizing the project, dedicate your employees time, donate resources and hardware etc. Those of us who do some/all of these things get a bit annoyed when you bitch about the job that is being done. If you don't like it then you are more than welcome to do 1 of 2 things.

1 - Do a better job
2 - Don't use the package


And that file is no longer

tonyclewis's picture
On February 16th, 2012 tonyclewis (Developer) said:

And that file is no longer accessible and was fixed 2 months ago.


__________________

Tony Lewis
Schmooze Com, Inc.
FreePBX Developer


Obelisk is right, why isn't

abefroman's picture
On February 15th, 2012 abefroman (tadpole) said:

Obelisk is right, why isn't that listed here:
http://www.cvedetails.com/vendor/6470/Freepbx.html


@SkykingOH we're not

abefroman's picture
On February 15th, 2012 abefroman (tadpole) said:

@SkykingOH we're not stirring up sh*t, obviously we use the software and highly value it, and we're not directing this towards one individual or one group of individuals. And we appreciate the job, and hard work that everyone involved contributes. And I already said I would be happy to help assit with this.

We're just saying some more emphasis should be put on security, which needs to start from the people at the top of this community project, and requires coordiation from the people at the top, to the developers, to the testers, etc. This is rather important since these bugs can potentially cost users $100k or more:
http://nerdvittles.com/?p=580

And when there is a security bug found it needs to be submitted to the proper channels (bugtraq, cvedetails, etc).

Security needs to be a top priority whether its a community project, open source, closed, source, for proift, non for profit etc.

We apologized if we came across as bitchy/annoying.


My quick two cents

p_lindheimer's picture
On February 16th, 2012 p_lindheimer (Developer) said:

My quick two cents …

First, the changesets referenced here may or may not be related to the hack as there have been other vulnerabilities that have been introduced and since fixed, as this one has been since fixed for quite some time.

Spending time attacking and critisizing vs. constructively tracking down and and helping to find better solutions doesn't really do anyone any good and in all reality, has a very negative affect on the project. If it does anything, it hurts everyone because volunteer developers simply choose to go elsewhere vs. take the un-warranted abuse that is doled out in such exchanges.

Everyone is human and they make mistakes. It's Open Source and that is one of the great things about Open Source, it is viewable by everyone and thus collective minds can track things down. Reports of banks the size of Chase Manhattan being hacked is a perennial event in the news. These are institutions who's IT budgets are counted in the BILLIONS of dollars. Given that, to make the insulting comments to members of this community that are being made here are simply un-called for. We are a community, let's try to act that way please.

As far as the latest exploit that is likely responsible, it was published Monday, reported yesterday and fixed and published this morning. It allowed an unauthenticated user to obtain the ARI admin credentials, nothing beyond that though often those are set the same as the FreePBX Admin credentials and not changed.


__________________

Philippe Lindheimer - FreePBX Project Leader
FreePBX Training Opportunities - Click Here
Get Official Paid Support - Click Here


@p_lindheimer So whats the

abefroman's picture
On February 16th, 2012 abefroman (tadpole) said:

@p_lindheimer So whats the process for getting involved then?

I don't have a ton of time, but I can certainly give some time into assisting. My background is in php, mysql and security, I'm not claiming to be an expert in any of those areas, but I know enough to assist.

Even though its "open" there needs to be some delation and direction from the people on top for this. Ex. whats being worked on now, what things do you want us to check for security wise in the beta version, whats been checked alread, how do we keep track of who is working on what file at a time, if I find a change how do I submit it and make sure it doesn't get overwritten by another developer?


abefroman, There are a few

p_lindheimer's picture
On February 16th, 2012 p_lindheimer (Developer) said:

abefroman,

There are a few questions here and it also really depends on the level of involvement and time that you or anyone else might be interested in putting in.

As far as tracking what is going on, there is a timeline in trac that can show every single checkin. It's hard to really say exactly what's being worked on as different developers attack different areas, problems and new features based on the various motivations, though everything still ends up in the timeline.

Trying to formalize a process or some sort of automation to screen security for a project like this is tough. Generally speaking, we've simply relied on the Open Source nature of the project where everything that happens is transparent and viewable by all as one line of scrutiny. As another, the beta testing process and our attempts to be as reactive as possible when things come out.

Since features are rarely introduced within a finalized release, the changes of introductions to such are much lower though there are plenty of incidents of security issues which are not noticed until something is final. In this case, 2.10 is close to final, in release candidate state and as such gets a lot more exposure.

The other consideration is, no matter how much emphasis put on security, we aren't security experts though we are very sensitive to security. This is a PBX and it isn't designed to be put on the web. However, we know people do so we don't put our heads in the sand and say 'lalala' when it happens. None the less, it still remains that the only 'real' protection for security is ultimately locking down access because there are always going to be the potential issues that until reported remain out there.

If you are interested in a bigger involvement and possibly helping to lead up an effort, then the best next step is to talk with a couple of us and brainstorm what might be possible given the resources that you and others might be willing to provide. If you want to do that you can feel free to PM me and we can arrange something.


__________________

Philippe Lindheimer - FreePBX Project Leader
FreePBX Training Opportunities - Click Here
Get Official Paid Support - Click Here


Web Interface

VoIPTek's picture
On February 18th, 2012 VoIPTek (tadpole) said:

I will assume ( not always a good thing ) that you have some sort of firewall at the DC. You can control who can use SIP/RTP/HTTP etc for the IP of that PBX server or for anything behind that firewall. Without a doubt if you can VPN each location via the firewall then all phones appear to be internal and you can deny external sip traffic from everyone except your sip providers.

You can leave the web interface a little more open so that if you are lets say visiting another office you could make a change to your pbx. You can try changing the port for the web interface of your pbx from 80 to some random unused port. To access your box from the web you would type in name.tomypbxbox.com:105038 now you can use a smaller port number, but basically utilizing your firewall you would redirect the external 105038 port to the internal port 80. I don't think anyone will be expecting those random ports with standard scanning tools.

If you don't have a firewall then you are making a big mistake by not protecting yourself.

In a worse case if you don't have a firewall you could change the default port for apache as well, not my first choice but effective.

Either way protect your box or someone will find a way to make free calls.