R.I.P. Hacked! Lost all my prepaid credit...

[berritorre]

Hi!

I just got hacked over the weekend and lost about R$ 450, which is between 150-200 USD in pre-paid call credits. Luckily it is prepaid. I knew that I had more than 400 Reais of credit when I saw a message from the provider that my account had dropped to 9 Reais (on Sunday). When I logged in, it was already down to zero.

How did it happen? Well, I was stupid. I set up PIAF on Digitalocean and I included the trunk. I did nothing more, not even an extension or anything. Then other things became more important and the PIAF install was basically forgotten.

First thing I did was changing the password of the voip account, so no additional calls could be made. However, they had used all the credit anyway. I also disabled the monthly top-up.

Starting on the 28/02/ at 22h international calls were made to Bolivia, Peru, Poland, UK, Guatemala, but mainly Bolivia. So I assume the hackers could be found there...

So the money is gone, I learned my lessen.

My question now: is there anything else I should do, besides killing the PIAF install on Digitalocean (which I should have done quite a while ago). I didn't delete it, because I thought it might be interesting how they went in and what they did, but I am a beginner and wouldn't know where to start.

I didn't use all the security messures because we do not have fixed IPs, so the travelling man wouldn't work with me, because my IP can be different all the time.

So, anything else I should do (maybe to help to find entry points)? Or would you just delete the PIAF instance?

Next tests I'll make on my notebook in a Virtualbox I guess... ;-)

 

[rossiv]

Nuke it from orbit. If I had to take a guess, I'd say they probably got in through anonymous SIP calls being enabled since you didn't make any extensions.

I didn't use all the security messures because we do not have fixed IPs, so the travelling man wouldn't work with me, because my IP can be different all the time.

For future reference, Travelin Man is made exactly for IP changes. You provide Travelin Man with a FQDN pointing to the public IP address where your extension(s) is/are registered and it resolved it to an IP every few minutes (don't recall the exact amount off the top of my head). If the IP has changed since the last check, it'll update IPtables and allow the new IP address. Works great.

 

[piafhbsh01]

You provide Travelin Man with a FQDN pointing to the public IP address where your extension(s) is/are registered and it resolved it to an IP every few minutes (don't recall the exact amount off the top of my head)

I don't remember the default interval either, but it can be changed to update how often you want.

 

[berritorre]

Hi, thank you for the response!

I'll kill the instance then. I guess I will have to write off my money, because it is not worth the hassle to get after those guys. Probably no chance.

What I could read from the logs is that they created extensions at one point. But not much more.

But I guess my next walks will happen mainly internal first. Then maybe later I'll setup something online again. When I am a little bit more savy with everything.

I am still a bit overwhelmed with the GUI, don't know where to start. I should have nuked the thing immeditately after the install, when it was clear that it would take a while until I can play with it again. But hey, we didn't use this account much lately and the money accumulated because we had to top up to keep the telephone number that was coming with it. That is why we reached the 450 anyway.

 

[berritorre]

Hope this also helps others that are a little lazy about the security of their installation - I CAN NOT RECOMMEND IT. ;-)

 

[rossiv]

they created extensions at one point

Then they got into the web interface. That's quite terrifying.

 

[markrmcs]

Then they got into the web interface. That's quite terrifying.

If the default access to the web interface is set up on port 80 without ssl then it is quite trivial for it to be hacked. Security is only as strong as the weakest link and normal http access is no security at all.

 

[rossiv]

If the default access to the web interface is set up on port 80 with ssl then it is quite trivial for it to be hacked. Security is only as strong as the weakest link and normal http access is no security at all.

SSL is not enabled by default, at least last I checked. Any system that is in production should ABSOLUTELY be using a firewall whitelist like TravelinMan. No reason to have ports open to the world in general.
If you need remote extensions, you can forward 5060, but it'd be more secure to have the endpoint(s) VPN in. Not as easy, but much more secure.
If you need remote web interface access, you can forward 80, but again it'd be much more secure to VPN in.
For my production setups, I always use the TravelinMan whitelist in combination with a VPN. Works great for me.

 

[Twilight Sparkle]

so as long as you use PortKnock & Travelin Man, i should not need..... an SSL or VPN?

 

[rossiv]

so as long as you use PortKnock & Travelin Man, i should not need..... an SSL or VPN?

I can't think of a real need to put an SSL cert on a PIAF box.
Yes, VPN would be slightly redundant if you have TM and PortKnock installed. I prefer VPN to both of the above, but it doesn't work for everything.