PBX hacker caught in the act
Here at Humbug Labs we work closely with several ITSP’s to understand their business needs and to design visualizations and analytics which can better help solve their problems – and though we haven’t officially released any of our fraud detection features, we do run tests in the background together with our alpha group as we prepare to launch this.
A classic case of telephony fraud that is interesting to share occurred Monday afternoon in one of our alpha group’s PBX’s. A hacker breached the PBX, created an extension, modified the dial plan, and managed to place several hundred calls to Mali (+223) (see graph).
Humbug staff was alerted and immediately notified the PBX manager who took action to gain control of his system. Thanks to everyone’s quick response time, the total attack lasted only 14 minutes – and what could have ended in damages of tens of thousands of dollars was instead interrupted at less than $50.
Deep investigations by our staff in coordination with the PBX manager revealed that the hack was relatively sophisticated: back-doors were found on the system including running processes, remote administration interfaces, hidden cron jobs, and one PBX module which was installed by the hacker.
The infected machine ran Asterisk 126.96.36.199 / FreePBX 2.5.1
A few things you can do to make sure your PBX is not infected with this similar case:
– run netstat -pl to make sure your processes are running on the correct ports. The infected PBX has processes such as “crond” run on port 80, which obviously stands out as abnormal.
– check your cron.daily processes and make sure you recognize all the processes that are set to run. The infected box was set to run a processes such as “crond” and “sshd” every month on the 27 day. This is strange.
– check if your freepbx installation has a module called “wrapfax”. The infected machine included this module which ran a remote administration tool called “NstView”
If you’d like further information on this attack, or you have found your PBX to be infected please let us know!