ALERT Apparent Security Issue: Backdoor in default fail2ban.local

dbaum

dbaum

Guru
Joined
Jan 11, 2009
Messages
124
Reaction score
2
I have just completed the third consecutive load of a RENTPBX.COM virtual machine with PIAF Green.
The jail.local file infail2ban contains an IP address in the ignoreip line that is not the local machine.
The address 98.103.180.19 is included and is registered as a Time Warner IP address.
I am assuming this to be an error that needs to be addressed.
I will file a RENTPBX ticket as well.
David
 
On my green install test box, there is nothing there. It must have been inserted by the install on RentPBX.
 
not on my green either... but you're not saying a lot... Green is not that specific of an indication, it just tells which version of asterisk you're running. it doesn't point to a particular build.
 
I really doubt it's related to rentpbx this IP is related to:
www.brandercti.com
as demonstrated by the hostname:
webmail.brandercti.com

this IP is for:
Allocations for this OrgID serve Road Runner commercial customers out of the Columbus, OH, Herndon, VA and Raleigh, NC RDCs.

and more specifically:

organization:Class-Name:organization
organization:ID:NETBLK-ISRC-98.102.0.0-15
organization:Auth-Area:98.103.180.16/28
organization:Org-Name:Brander Construction Technology, Inc
organization:Tech-Contact:[email protected]
organization:Street-Address:2357 W Mason St
organization:City:Green Bay
organization:State:WI
organization:Postal-Code:54303
organization:Country-Code:US
organization:Phone:608-333-1900
Click to expand...
 
Sorry I was on road when I post to get the word out.
Here is supplement information.
Note, the discovery was after installation of Travelling Man 3. I forgot to note that earlier.
Free PBX 2.11.0.0 beta 2.8
PIAF 2.0.6.4
Asterisk 11.3.0
Asterisk Source 11.3.0
Centos 6.4 Final
 
TM3 is a ward thing so I am sure he will comment.


Tom
 
Incredible PBX and Travelin' Man 3 don't touch Fail2Ban. Please contact RentPBX for assistance.
 
Thanks for bringing up the IP to our attention.
Our Green build is based of the PIAF isomenu installation. There is no said IP being added on the fail2ban configuration. Everyone else does not have this IP in their configuration as well. On a clean installation, we can assure you that there is no such IP.
During the process of configuring your PBX, it is unreasonable to believe a malicious script is run and insert that IP. We would love to learn about it and prevent future user to have similar security issue.
Would you be able to share with us any scirpt that you run on your PBX?
Assuming for now that your system is hacked. The fail2ban configuration files is own by root and writable by root. To add the ip in the fail2ban configuration file, the hacker should have root access. We can be wrong about this assumption. However, if we are right, why would a hacker only add an IP to the fail2ban? There are a lot more elusive and damaging with a root level access. For example, Isn't adding an administrative level user is an easier backdoor?
Once travelinman 3 close access from the internet, even the back door is there, would it be useless since there is no access (may be there are time windows where the iptables is being restarted, a potential hacker can get in). This is really hard to exploit. My point is, why not hack the iptables rule and insert in the iptables rather than fail2ban. Would you check whether the same ip is in the list of allowable IP in your iptables?
We are not trying to question you in regard about your PBX is being hacked. We do really puzzled about the hack it self. The hack it self does not add up for something that has root access to your PBX.
Finally, since you have a prove of the hack and evidence of it, you may also initiate a report to the owner of the IP. Be courteous and present all the evidence, any responsible organization will assist you anyway they can. After all, it is their IP that is potentially used to hack your PBX.
 
dbaum
Since you say you did 3 install and got this IP in all three and it's there from the get go for you, while Rentpbx says a default install does not contain this IP...

It means we're lacking info to find where it's coming from.
Did you install Incredible PBX on the three machines that ended up with this? Maybe Incredible brings fail2ban conf files?

Right now where I'm lost is that you say you did 3 separate installs, and right after, when you login, this ip is there in fail2ban.
But rentpbx says that if they launch a new PIAF green and login to it... this IP is not there.
One of those two statements has to be false since they contradict.

A default deployment of green on rentpbx either comes with this ip in jail.local or doesn't.
If it doesn't, something else was done on those systems before you realized this was there.

And I also agree that a hacker would gain nothing from hacking this in there... Makes zero sense.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 44 (members: 0, guests: 44)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,410
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top