Just got a client call about unauthorized calls, logged in his system and this is what i saw.
SSH port forwarded to a freepbx box Default user/pass for mysql/web/ssh User created peers in mysql directly and then changed ssh pass All peers that was on where 104/104 105/105 etc.. Sip anon yes.. That's the default install You give a loaded gun to a guy that never used one, without instructions, he will surely shoot himself before learning to put the safety on. But ain't that the purpose of mass distributing a commercial (support part) swiss army knife telecom platform ? Why doesn't Freepbx come with FORCED password changes on install ?? i guess 150$ an hour support is better than no support at all right ? http://www.freepbx.org/support-and-professional-services There are also perl and python scanners out there that do : Scan ranges of ips for sip, scan them for default ssh/sip user/passes.. and create an asterisk sip.conf with these as well as the extensions for those. All the wanna-be hacker has to do next is mass dial and use un-authorized boxes... 99.5 % are all trixbox/freepbx etc But hey .. 99% of all stats are made up >>-----Original Message----- >>From: [email protected] [mailto:asterisk-biz- >>[email protected]] On Behalf Of John Todd >>Sent: September-01-09 11:59 AM >>To: Commercial and Business-Oriented Asterisk Discussion >>Subject: Re: [asterisk-biz] Any installations in European Consulates or >>Embassies? >> >> >>Well, I think that's a bit far-fetched. Really, really far-fetched. >>Random fishing expeditions for vendors of PBX platforms, which are >>going to be on private networks, is inefficient to the point of zero >>returns. There are so many other layers of security that have to be >>penetrated before the concept of "Asterisk" is a security element that >>is even considered... If you've seen embassy telecommunications >>systems in any security-minded nation, you'd understand that vendor >>identity for primary platform isn't a serious consideration. >> >>JT >> >> >>On Sep 1, 2009, at 2:43 AM, C. Savinovich wrote: >> >>> I would be so paranoid... what if they want that information to see >>> what >>> embassies can be hacked? >>> >>> CS >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of John Todd >>> Sent: Tuesday, September 01, 2009 6:53 PM >>> To: Commercial and Business-Oriented Asterisk Discussion >>> Subject: [asterisk-biz] Any installations in European Consulates or >>> Embassies? >>> >>> >>> I've got a rather unusual request to discover if any European >>> Consulates are >>> running Asterisk as their PBX platform. For that matter, are there >>> any >>> embassies that could step forward? This is for a private query (by >>> another >>> consulate) and replies may be privately held if requested, other than >>> informing the end user. Or they may be public, which would be >>> preferred so >>> we can get various government agencies on the list of reference-able >>> sites. >>> >>> JT >>> >> >>--- >>John Todd email:[email protected] >>Digium, Inc. | Asterisk Open Source Community Director >>445 Jan Davis Drive NW - Huntsville AL 35806 - USA >>direct: +1-256-428-6083 http://www.digium.com/ >> >> >> >> >>_______________________________________________ >>--Bandwidth and Colocation Provided by http://www.api-digital.com-- >> >>AstriCon 2009 - October 13 - 15 Phoenix, Arizona >>Register Now: http://www.astricon.net >> >>asterisk-biz mailing list >>To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-biz _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
