Re: [sipx-users] Hacked SipXecs 4.4

[Todd Hodgen]

+1

 

From: sipx-users-boun...@list.sipfoundry.org
[mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

 

yes, and using the word hacked as your subject is not particularly...
helpful...

 

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano
<tgrazi...@myitdepartment.net> wrote:

you really need to look at the mail log to see where the mail is coming from
regardless of your firewall settings. It can actually come from inside you
see.

 

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <n...@tritonlimited.com> wrote:

I am seeing more spam in my mail queue.  I have iptables installed, and here
are my rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:pcsync-https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:xmpp-client
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:5223
ACCEPT     all  --  192.168.0.0/16       anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp
dpt:sip
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:sip
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:sip-tls
ACCEPT     udp  --  sip02.gafachi.com    anywhere            state NEW udp
dpts:sip:5080
ACCEPT     udp  --  204.11.192.0/22      anywhere            state NEW udp
dpts:sip:5080
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world.
Also, sendmail is only configured to allow relay from localhost:

[root@sipx1 ~]# cat /etc/mail/access

# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY

Can someone please help me figure out where this spam is coming from?
Thanks.

~Noah


On Oct 13, 2012, at 10:17 AM, Noah Mehl <n...@tritonlimited.com> wrote:

> I did not change the configuration of anything related to the PlcmSpIp
user.  It does however make me feel better that it is related to the vsftpd
service and the polycom phones.
>
>> From /etc/passwd:
>
>
PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/
nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <tgrazi...@myitdepartment.net>
wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <geo...@ezuce.com> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <tgrazi...@myitdepartment.net> wrote:
>>>> this is not a valid system user unless you have manually added it to
the
>>>> system. I do think the logs would show more if access was granted. Why
are
>>>> you exposing sshd to the outside world with an acl or by protecting it
at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from
server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-users@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: tgrazi...@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: helpd...@voice.myitdepartment.net
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-users@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-users@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/





 

-- 
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: tgrazi...@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

 

 <http://sipxcolab2013.eventbrite.com/?discount=tony2013> 

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> 



 <http://sipxcolab2013.eventbrite.com/?discount=tony2013> 

 

LAN/Telephony/Security and Control Systems Helpdesk:

Telephone: 434.984.8426

sip: helpd...@voice.myitdepartment.net

 

Helpdesk Customers: http://myhelp.myitdepartment.net

Blog: http://blog.myitdepartment.net


_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/





 

-- 
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square

Suite 201

Andover, MA. 01810

O.978-296-1005 X2015 
M.207-956-0262
@mpicher <http://twitter.com/mpicher> 

linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro> 
www.ezuce.com

 

----------------------------------------------------------------------------
--------------------------------

There are 10 kinds of people in the world, those who understand binary and
those who don't.

 


_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/