You need to go to the Extension setting and set the nat to "YES".
This is only applicable to the CCRNET elastix server.
Saturday, July 4, 2015
Wednesday, February 18, 2015
New hacker way !! - thru a2billing https port
The extensions_custom.sh was modified and this was notified via the gmail.
However, there are few rows being added at the end of the extensions_custom.sh to allow the hacker to access the asterisk anonymously.
The file continue to be modified as long as the httpd is up and running. The only way to block is to stop the httpd service.
Further checking using the tcpdump
tcpdump -i eth0 port https
It shown that the IP from the germany was trying to access the https..
Further check on this IP on the /var/log/httpd/
you can see that it was trying to access the asterisk via /a2billing/Public folder and
/a2billing//admin/Public/A2B_php_stats.php and in this file, you can see it was trying to access the md5 password for all acl user. maybe from here, it can access all user password..
I used the
/sbin/iptables -I INPUT -s 46.165.210.0/24 -j DROP
to block this specific IP to access our https
However, there are few rows being added at the end of the extensions_custom.sh to allow the hacker to access the asterisk anonymously.
The file continue to be modified as long as the httpd is up and running. The only way to block is to stop the httpd service.
Further checking using the tcpdump
tcpdump -i eth0 port https
It shown that the IP from the germany was trying to access the https..
Further check on this IP on the /var/log/httpd/
you can see that it was trying to access the asterisk via /a2billing/Public folder and
/a2billing//admin/Public/A2B_php_stats.php and in this file, you can see it was trying to access the md5 password for all acl user. maybe from here, it can access all user password..
I used the
/sbin/iptables -I INPUT -s 46.165.210.0/24 -j DROP
to block this specific IP to access our https
Backup wav recording file to s3
Firstly, you need to create bucket in the s3 using the following commands
http://s3tools.org/usage
Check the bucket status via amazon gui
https://console.aws.amazon.com/s3/home?region=ap-southeast-1
e.g copy a file into the s3 using s3cmd put s3://
By right, s3 charges is cheaper than the ssd or standard volume
http://s3tools.org/usage
Check the bucket status via amazon gui
https://console.aws.amazon.com/s3/home?region=ap-southeast-1
e.g copy a file into the s3 using s3cmd put
By right, s3 charges is cheaper than the ssd or standard volume
Sunday, January 25, 2015
asterisk was hacked and modified - extensions_custom.conf
the above file was modified to add on the following entries
< [ext-did-0002-custom]
< exten => 60321069614,1,Set(__FROM_DID=${EXTEN})
< exten => 60321069614,n,Gosub(app-blacklist-check,s,1)
< exten => 60321069614,n,ExecIf($[ "${CALLERID(name)}" = "" ] ?Set(CALLERID(name)=${CALLERID(num)}))
< exten => 60321069614,n,Set(__CALLINGPRES_SV=${CALLERPRES()})
< exten => 60321069614,n,Set(CALLERPRES()=allowed_not_screened)
< exten => 60321069614,n(dest-ext),Goto(ext-group,991,1)
< [ext-did-0002-custom]
< exten => 60321069614,1,Set(__FROM_DID=${EXTEN})
< exten => 60321069614,n,Gosub(app-blacklist-check,s,1)
< exten => 60321069614,n,ExecIf($[ "${CALLERID(name)}" = "" ] ?Set(CALLERID(name)=${CALLERID(num)}))
< exten => 60321069614,n,Set(__CALLINGPRES_SV=${CALLERPRES()})
< exten => 60321069614,n,Set(CALLERPRES()=allowed_not_screened)
< exten => 60321069614,n(dest-ext),Goto(ext-group,991,1)
from the report tab, you can see that they trying to call out to IDD number using the above extension.
Question.. how the hell they can modify the file with root permission ??
Saturday, January 3, 2015
playSMS - how to customise the web look and feel
Surprisingly, under the /var/www/html, you don't find the index.html but index.php instead and despite that, it is not easy to figure out on how they programmed the html.. based on the "source code", from the browser, I can only identify some of the codes are from
./plugin/themes/default/templates/themes_layout.html
but yet to understand the logic behind
./plugin/themes/default/templates/themes_layout.html
but yet to understand the logic behind
playSMS - introduction and tips to customise your own gateway
replicate the gateway directory
/var/www/html/playsms/plugin/gateway
But you also need to change the /var/www/html/playsms/plugin/gateway//config.php and fn.php, try to search for "your name" within this directory to see what others need to be changed.
You will not be able to access the/playSMS if you only introduced new directory within making the above modifications.
However, once the above is done, you can access the/playSMS but still I don't see the new your gateway under the "Manage Gateway" menu... so.. need to explore further...
/var/www/html/playsms/plugin/gateway
But you also need to change the /var/www/html/playsms/plugin/gateway/
You will not be able to access the
However, once the above is done, you can access the
Thursday, January 1, 2015
fail2ban - to include all Malaysia IP Range into the whilelist
go to http://software77.net/geo-ip/ to extract all the IP ranges with CIDR format
login to server, go to /etc/fail2ban/jail.conf
edit the file and go to "ignoreip" to include all the IP range above
and then restart the fail2ban /etc/rc.d/init.d/fail2ban restart
login to server, go to /etc/fail2ban/jail.conf
edit the file and go to "ignoreip" to include all the IP range above
and then restart the fail2ban /etc/rc.d/init.d/fail2ban restart
Subscribe to:
Posts (Atom)