Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Wed Apr 26, 2017 5:42 pm
Predictive Dialer


All times are UTC




Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: a2billing hacked
PostPosted: Mon Feb 13, 2012 12:58 am 
Offline

Joined: Wed Mar 31, 2010 3:45 am
Posts: 132
Location: São Paulo
I would like to ask help in order to identify a possible weakness in a2billing installation

Recently I noticed someone managed to use one of my customers account to make calls
The most interesting part is that the person first introduced credit without any real payment and then started the calls

Code:
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c:     -- Executing [[email protected]:1] NoOp("SIP/69950502032-00000161", "A2Billing Start") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c:     -- Executing [[email protected]:2] Set("SIP/69950502032-00000161", "CDR(recvip)=86.127.8.13") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c:     -- Executing [[email protected]:3] NoOp("SIP/69950502032-00000161", "IP 86.127.8.13, Zoiper Communicator Biz 2.05.11136 rev.11135") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c:     -- Executing [[email protected]:4] NoOp("SIP/69950502032-00000161", "Codec g729, g729") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] pbx.c:     -- Executing [[email protected]:5] AGI("SIP/69950502032-00000161", "a2billing.php,1") in new stack
[2012-02-12 02:15:39] VERBOSE[29091] res_agi.c:     -- Launched AGI Script /var/lib/asterisk/agi-bin/a2billing.php
[2012-02-12 02:15:40] VERBOSE[29091] res_agi.c:     -- AGI Script Executing Application: (DIAL) Options: (SIP/xx.xx.xx.xx:6060/25240910727,60,HRriL(36000000:61000:30000))
[2012-02-12 02:15:40] VERBOSE[29091] netsock2.c:   == Using SIP RTP CoS mark 5
[2012-02-12 02:15:40] VERBOSE[29091] app_dial.c:     -- Called SIP/xx.xx.xx.xx:6060/25240910727
[2012-02-12 02:15:42] VERBOSE[29091] app_dial.c:     -- SIP/xx.xx.xx.xx:6060-00000162 is ringing
[2012-02-12 02:15:42] VERBOSE[29091] app_dial.c:     -- SIP/xx.xx.xx.xx:6060-00000162 answered SIP/69950502032-00000161
[2012-02-12 02:15:42] DEBUG[29091] channel.c: setting peeraccount to 69950502019 for SIP/69950502032-00000161 from data on channel SIP/xx.xx.xx.xx:6060-00000162
[2012-02-12 02:15:42] VERBOSE[29091] res_musiconhold.c:     -- Started music on hold, class 'default', on SIP/xx.xx.xx.xx:6060-00000162
[2012-02-12 02:15:43] VERBOSE[2883] netsock2.c:   == Using SIP RTP CoS mark 5
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c:     -- Executing [[email protected]:1] NoOp("SIP/69950502032-00000163", "A2Billing Start") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c:     -- Executing [[email protected]:2] Set("SIP/69950502032-00000163", "CDR(recvip)=86.127.8.13") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c:     -- Executing [[email protected]:3] NoOp("SIP/69950502032-00000163", "IP 86.127.8.13, Zoiper Communicator Biz 2.05.11136 rev.11135") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c:     -- Executing [[email protected]:4] NoOp("SIP/69950502032-00000163", "Codec g729, g729") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] pbx.c:     -- Executing [[email protected]:5] AGI("SIP/69950502032-00000163", "a2billing.php,1") in new stack
[2012-02-12 02:15:43] VERBOSE[29095] res_agi.c:     -- Launched AGI Script /var/lib/asterisk/agi-bin/a2billing.php
[2012-02-12 02:15:43] VERBOSE[29095] res_agi.c:     -- AGI Script Executing Application: (DIAL) Options: (SIP/xx.xx.xx.xx:6060/25240910727,60,HRriL(36000000:61000:30000))
[2012-02-12 02:15:43] VERBOSE[29095] netsock2.c:   == Using SIP RTP CoS mark 5
[2012-02-12 02:15:43] VERBOSE[29095] app_dial.c:     -- Called SIP/xx.xx.xx.xx:6060/25240910727
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c:     -- SIP/69950502032-00000163 requested special control 16, passing it to SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[29095] res_musiconhold.c:     -- Started music on hold, class 'default', on SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c:     -- SIP/69950502032-00000163 requested special control 20, passing it to SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[2883] netsock2.c:   == Using SIP RTP CoS mark 5
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c:     -- Executing [[email protected]:1] NoOp("SIP/69950502032-00000165", "A2Billing Start") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c:     -- Executing [[email protected]:2] Set("SIP/69950502032-00000165", "CDR(recvip)=86.127.8.13") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c:     -- Executing [[email protected]:3] NoOp("SIP/69950502032-00000165", "IP 86.127.8.13, Zoiper Communicator Biz 2.05.11136 rev.11135") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c:     -- Executing [[email protected]:4] NoOp("SIP/69950502032-00000165", "Codec g729, g729") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] pbx.c:     -- Executing [[email protected]:5] AGI("SIP/69950502032-00000165", "a2billing.php,1") in new stack
[2012-02-12 02:15:45] VERBOSE[29099] res_agi.c:     -- Launched AGI Script /var/lib/asterisk/agi-bin/a2billing.php
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c:     -- SIP/xx.xx.xx.xx:6060-00000164 is ringing
[2012-02-12 02:15:45] VERBOSE[29095] app_dial.c:     -- SIP/xx.xx.xx.xx:6060-00000164 answered SIP/69950502032-00000163
[2012-02-12 02:15:45] DEBUG[29095] channel.c: setting peeraccount to 69950502019 for SIP/69950502032-00000163 from data on channel SIP/xx.xx.xx.xx:6060-00000164
[2012-02-12 02:15:45] VERBOSE[29099] res_agi.c:     -- AGI Script Executing Application: (DIAL) Options: (SIPxx.xx.xx.xx:6060/25240910727,60,HRriL(36000000:61000:30000))
[2012-02-12 02:15:45] VERBOSE[29099] netsock2.c:   == Using SIP RTP CoS mark 5
[2012-02-12 02:15:45] VERBOSE[29099] app_dial.c:     -- Called SIP/xx.xx.xx.xx:6060/25240910727
[2012-02-12 02:15:47] VERBOSE[29099] app_dial.c:     -- SIP/69950502032-00000165 requested special control 16, passing it to SIP/xx.xx.xx.xx:6060-00000166
[2012-02-12 02:15:47] VERBOSE[29099] res_musiconhold.c:     -- Started music on hold, class 'default', on SIP/xx.xx.xx.xx:6060-00000166
[2012-02-12 02:15:47] VERBOSE[29099] app_dial.c:     -- SIP/69950502032-00000165 requested special control 20, passing it to SIP/xx.xx.xx.xx:6060-00000166


some of the calls didnt get registered and I could noticed a special code 20 in the logs

Code:
[2012-02-12 02:15:47] VERBOSE[29099] app_dial.c:     -- SIP/69950502032-00000165 requested special control 20, passing it to SIP/xx.xx.xx.xx:6060-00000166



my dial plan has HRirl

I have no indication that this person has access to root as the secure log does not show anyone loging and ssh was infact disabled.

How can someone do such a thing, insert credit to an account without actualy pay it?
How is possible to place multiple calls if dial command should not allow it?
I have fail2ban set to block user after 3 wrong attempts :-(
And even more important how can I prevent that from happening in the future?

Many thanks


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Mon Feb 13, 2012 2:00 am 
Offline

Joined: Mon Jan 08, 2007 6:56 pm
Posts: 345
Notice the same phone number is being dialed each time. Each call puts the other on hold. This is an automated hack that stumbled upon an open SIP port. In this case, the open SIP port belongs to the client. The client is on a public IP or the SIP port is forwarded by the router setting. The phone is registered to your Asterisk so the hack is using the VOIP phone as proxy.

1. No credit was added
2. Hacker was looking to exploit a real server port
3. Hacker is not really interested in a client port , but it costs the client when he "tests" the port to exploit later.
4. This hack only affects one client and its balance

How to defend against this:

1.Never forward the sip port of the voip phone making it visible on the web
2.Never put the sip phone on an public IP
3.Tell your customers never to do this.

Note: You can only safely forward the RTP ports to the sip phone IP, but not the signalling.

An open SIP port on the web is reserved for servers and without added protection, they too are vulnerable.


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Thu Mar 29, 2012 12:53 am 
Offline

Joined: Wed Mar 31, 2010 3:45 am
Posts: 132
Location: São Paulo
Hi vulcan,

thank you for your explanation.
it has been difficult to track down what have happened.
I was afraid hackers had somehow access to the server and made some code injection.
You mentioned by the log that no credit were added but in fact the customer suddenly appeared with 1000 us$ credit he didn't have.
I changed all sip clients passwords and admin server passwords just in case and made sure fail2ban was catching any attempt of brut force.
So far I did not have any other surprise.
I advise, like you said, the customer to not put their phones on a public IP
I really appreciate your attention.

I hope this stays this way.

Best regards,
Renato.


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Sat May 19, 2012 6:37 am 
Offline

Joined: Sun Jul 04, 2010 4:39 pm
Posts: 5
Hi renatofb,

I have a box with A2Billing 1.9.4 having the exact same situation as yours. Suddenly, of my customer's accounts were being filled up to $10,000. And the hacker is using all the customer's account to make expensive calls and trained all my provider balance quickly. And besides this, I had the paypal account being hacked similar to another thread.

Just like yours, the back end ssh has no sign of being accessed other than my own IP address. So if someone from the development sees this, please help, or someone who has resolved this issue. As this is a critical issue that could potentially happening to all new A2Billing server out there.

Henry


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Sat May 19, 2012 9:36 am 
Offline

Joined: Mon Jan 08, 2007 6:56 pm
Posts: 345
To get any kind of insight on this, you have to provide all the clues.

Quote:
I have a box with A2Billing 1.9.4 having the exact same situation as yours.


Really? Show the log as renatofb did.

Quote:
And besides this, I had the paypal account being hacked similar to another thread.


Where?

When you login to paypal did you see $10,000 in your account from this customer?

You have to help find the hole, because nobody in here seems to know.

Are you using the web interface in the original version?
Is your mysql port exposed to the web?
Are you running properly configured fire wall?
Is your machine on a public IP?
Do you have SSL installed on your domain?
Is you apache configured correctly?
Is your machine running the latest updates?


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Mon May 28, 2012 4:52 pm 
Offline

Joined: Wed Mar 31, 2010 3:45 am
Posts: 132
Location: São Paulo
I had no other problem so far.

I discovered that my firewall was not loading the rules automaticaly and even with fail2ban installed that was not enough to keep hackers away.

So I made sure the rules from firewall was loding in case of restart and reenforced some rules actions in fail2ban.

it is good idea to monitor the httpd logs for attempts of code injection and blocke the ips too. That's what I did.

I hope this tips helps.

Regards,


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Mon Nov 19, 2012 1:00 am 
Offline

Joined: Fri Jan 15, 2010 9:15 pm
Posts: 7
This has just happened to one of our servers.

Not even hooked up to any payment provider.

We have checked the HTTP logs and no access or brute access what so ever. Also know brute access on SSH or Asterisk.

We also have fail2ban installed.

This is something that is serious. Could they have direct access to the SQL database? As everything in that i have noticed is not encrypted.


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Thu Nov 22, 2012 4:49 am 
Offline

Joined: Sat May 10, 2008 4:19 pm
Posts: 132
Location: Wilmington, DE
Hi All,
A few weeks ago a crook signed up for an account and skipped over the block I have in user_info.php by inserting https://myserver/A2Bfolder/customer/checkout_payment.php in the url. They then selected 500 and was able to get that amount on the newly created account without any trace of a transaction at PayPal. Luckily they were not able to make calls because the call plan assigned to new accounts does not have any rate cards attached to it.

Anyhow, I suspect that after selecting the amount on the PayPal screen, they are somehow able to insert another string in the URL and A2B would credit the account. That's my guess because my MySQL is on a separate server with internal access only. No "footprints" anywhere.

Early this morning I was not so lucky. One account ($30.00) was drained. To my surprise the caller ID on all of the calls to Somalia was my own phone number and the account was mine, used for live testing. Though the account was post-paid with 0 (zero) credit limit, they were able to make over $100.00 worth of calls before it all ended.

I checked all of the logs and couldn't find any access violations. So my only conclusion is that they spoofed the phone number and called one of the access numbers. Since no pin is required, they were able to make several calls.

I have since enabled the lock code feature and would like to tell my customers to enable that feature without scaring them. If anyone has any ideas on what the other possibilities are for the above situation or any suggestion on security, or the best approach to avoid such occurrences, I would appreciate it greatly. I'm sure other users would welcome your ideas.

Thanks,

Robin


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Thu Nov 22, 2012 7:16 am 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4064
Hi

Do ensure that you are using the latest (2.01) of A2Billing.

Also verifying your customers and ensuring that you know who they are is a good security measure employed by a number of VoIP operators, in that they ask for a scan of a credit card and/or a utility bill, although in RobinA's case this may not have helped.

Is your telephone number they used as a callerID published on your website, or website registration details. In other words, from your A2Billing website, could they have discovered with a bit of googling, your telephone number, and then tried that as a likely candidate?

Joe


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Thu Nov 22, 2012 3:33 pm 
Offline

Joined: Sat May 10, 2008 4:19 pm
Posts: 132
Location: Wilmington, DE
Joe,
Thanks for your reply.

I and everyone should really upgrade just for the security features in 2.01. The problem is that there are bad guys studying the code and looking for ways to exploit the system.

I do not request scanned copies of credit cards, but I do think it will help. In our system, the default call plan for new signups does not have any rate cards attached, so they cannot make calls until approved. If they're not recommended by a current user, we check their phone number, the IP address they signup from against the physical address and other factors before letting them in the system. The one hurdle we're yet to overcome is determining whether they are using a proxy server. Since blocking by country using iptables does not work for us, we have a list of countries that are allowed access and every IPaddress is checked using www.ipinfodb.com upon accessing the signup or any other page. If their address is not on the list of countries approved, they are taken to a government site and the IP blocked.

The number used in the spoofing attack is our main office number that is posted on the site (Contact us). That is completely my fault, and I hope others may learn from my mistake.

Thanks again,

Robin.


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Fri Nov 23, 2012 6:16 am 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4064
Hi

Quote:
The problem is that there are bad guys studying the code and looking for ways to exploit the system


Conversely, the good guys are scanning the code too, and reporting security issues.

Joe


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Tue Nov 27, 2012 7:40 am 
Offline

Joined: Thu Apr 21, 2011 5:22 pm
Posts: 106
Oh! :o

My system got hacked today and the bad guy inserted a credit of 149 Euros via paypal. I don't have that amount as an option. I got a transaction confirmation of the transaction from A2billing with the post var array. The interesting thing is the receiver address was not mine. No such transaction appeared on my paypal statement.

I however noticed the hacker signed up for an account, went up to payment_confirmation.php. In this file, the paypal notify url is already populated for that transaction. They then must have a code or server that sends paypal payment headers and ipn to the a2billing notify url which can be seen when you view page source.

The question now is, how do we hide the payment notifyurl from being displayed in the page source?

Hackers have developed software that mimics the ipn system in paypal. How can I validate that a PayPal IPN POST request to my specified notifyURL is indeed coming from PayPal?


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Mon Feb 25, 2013 7:59 pm 
Offline

Joined: Mon Apr 14, 2008 8:37 pm
Posts: 355
Location: Canada
I have recently had this EXACT same problem: people calling the access number using my customer service number as the callerid. Does the upgrade fix this? How hard is it to upgrade the interfaces? We have made quite a bit of cusotmizations to our install of 1.9.4

Any advice would be great


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Sun Nov 30, 2014 2:53 pm 
Offline

Joined: Wed Nov 25, 2009 12:01 pm
Posts: 90
sanjap wrote:
Oh! :o

My system got hacked today and the bad guy inserted a credit of 149 Euros via paypal. I don't have that amount as an option. I got a transaction confirmation of the transaction from A2billing with the post var array. The interesting thing is the receiver address was not mine. No such transaction appeared on my paypal statement.

I however noticed the hacker signed up for an account, went up to payment_confirmation.php. In this file, the paypal notify url is already populated for that transaction. They then must have a code or server that sends paypal payment headers and ipn to the a2billing notify url which can be seen when you view page source.

The question now is, how do we hide the payment notifyurl from being displayed in the page source?

Hackers have developed software that mimics the ipn system in paypal. How can I validate that a PayPal IPN POST request to my specified notifyURL is indeed coming from PayPal?



Im running a2b 2.13 and it was hacked in the same way. Hackers have signed up an account and spoofed a payment drained my credit. There is no trace of backdoor shh entry. have fail2ban and iptable configured unauthorised access.

Hackers much have some code ejection to credit an account, Anyone found any solution for this Hack?


Top
 Profile  
 
 Post subject: Re: a2billing hacked
PostPosted: Mon Dec 01, 2014 7:11 pm 
Offline

Joined: Fri Mar 01, 2013 8:53 pm
Posts: 38
The Best way to avoid this is allowing only Ip's from your Country, in my case i'm from México and only Ip addresses from México are allowed in my server, so in this way, any other ip from a foreign country cannot get acces from web to my server


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next
Voice Broadcast System


All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group