A2B was hacked

aislecom · **Joined:** Fri Dec 03, 2010 5:18 pm **Posts:** 35

My A2B server got hacked and the crooks ran lots of traffic to Sierra Leon. They were able to register using sip accounts in A2B. Seems even after changing some of the sip passwords they were still able to register.

I was hacked from 2.54.254.131, 41.206.147.202 and 41.69.251.225, 41.69.251.227

They were able to run the accounts into the negative? For example one account was -$450.00
A2B should have been able to block the calls once the accounts reach $0.

Any ideas how to ensure a2b block accoutns when they reach $0?

Dave

aislecom · **Joined:** Fri Dec 03, 2010 5:18 pm **Posts:** 35

Seems the crooks got my database using:

/xxxcard/ratesmain.php?cnt=&al=A'+and+1=0+%20Union%20Select%20%201%20,2,3,%20UNHEX(HEX(CONCAT(CHAR(64),CHAR(95),CHAR(64),id_cc_card,char(59),fromuser,char(59),fromdomain,char(59),secret,char(59),CHAR(64),CHAR(95),CHAR(64))))%20+FROM+a2billing.cc_sip_buddies%20%20LIMIT%205,1--%20-

and

requests looks like:
/xxxxxcard/ratesmain.php?cnt=&al=A'+and+1=0+%20Union%20Select%20%201%20,2,3,%20UNHEX(HEX(concat(0xxxxxxxx,table_name,xxxxxxxx)))%20+FROM+INFORMATION_SCHEMA.tables+where+table_schema=Concat(char(97),char(115),char(116),char(101),char(114),char(105),char(115),char(107))+LIMIT%209,1--%20-
this request gets the table names/info directly from DB

vulcan · **Joined:** Mon Jan 08, 2007 6:56 pm **Posts:** 345

Seems they uploaded a rouge file to your site

Code:

ratesmain.php

Possibly other back door files too , you will need to clean your site.

How do you believe they got write access to your server?

aislecom · **Joined:** Fri Dec 03, 2010 5:18 pm **Posts:** 35

My guys told me they used sql injection. Seems my site developer was not that good on security.

Dave

kkhan · **Joined:** Sat Nov 21, 2009 4:09 pm **Posts:** 21

Sadly this has happened to me 4 times.
I wish there was some fix to disconnect the calls after the balance reaches $0 or maybe -$5

vulcan · **Joined:** Mon Jan 08, 2007 6:56 pm **Posts:** 345

Do you have call logs on these calls that you can post (masking confidential information)? It might shed some light on what is happening during the rating and progress.

sanjap · **Joined:** Thu Apr 21, 2011 5:22 pm **Posts:** 106

I know this is not an a2billing problem but an SQL problem. How can we possibly prevent SQL injection then?

vulcan · **Joined:** Mon Jan 08, 2007 6:56 pm **Posts:** 345

To prevent an account from going into negative:

1. PHP must be compiled with pcntl (php -m to find out)
2. Make it a prepaid account
3. If a postpaid account, set a credit limit on the account

SQL injection is done when you collect user data from in a form such as name, address and so on. The injection part comes in when they enter sql data and the application does not sanitize it and it gets passed along to the SQL server.

A2B does a very good job of sanitizing the input data from users. It appears the poster had some modifications done that created the security hole.

Note, however, injection is not the only way to hack a site.

provided by Star2Billing S.L.

A2B was hacked

Who is online