Saturday, July 4, 2015

RTP - caller can't hear voice on ccrnet extension

You need to go to the Extension setting and set the nat to "YES".
This is only applicable to the CCRNET elastix server.

Wednesday, February 18, 2015

New hacker way !! - thru a2billing https port

The extensions_custom.sh was modified and this was notified via the gmail.

However, there are few rows being added at the end of the extensions_custom.sh to allow the hacker to access the asterisk anonymously.

The file continue to be modified as long as the httpd is up and running. The only way to block is to stop the httpd service.

Further checking using the tcpdump
tcpdump -i eth0 port https

It shown that the IP from the germany was trying to access the https..

Further check on this IP on the /var/log/httpd/
you can see that it was trying to access the asterisk via /a2billing/Public folder and
/a2billing//admin/Public/A2B_php_stats.php and in this file, you can see it was trying to access the md5 password for all acl user. maybe from here, it can access all user password..

I used the
/sbin/iptables -I INPUT -s 46.165.210.0/24 -j DROP

to block this specific IP to access our https

Backup wav recording file to s3

Firstly, you need to create bucket in the s3 using the following commands

http://s3tools.org/usage

Check the bucket status via amazon gui
https://console.aws.amazon.com/s3/home?region=ap-southeast-1

e.g copy a file into the s3 using s3cmd put s3://

By right, s3 charges is cheaper than the ssd or standard volume

Sunday, January 25, 2015

asterisk was hacked and modified - extensions_custom.conf

the above file was modified to add on the following entries

< [ext-did-0002-custom]
< exten => 60321069614,1,Set(__FROM_DID=${EXTEN})
< exten => 60321069614,n,Gosub(app-blacklist-check,s,1)
< exten => 60321069614,n,ExecIf($[ "${CALLERID(name)}" = "" ] ?Set(CALLERID(name)=${CALLERID(num)}))
< exten => 60321069614,n,Set(__CALLINGPRES_SV=${CALLERPRES()})
< exten => 60321069614,n,Set(CALLERPRES()=allowed_not_screened)
< exten => 60321069614,n(dest-ext),Goto(ext-group,991,1)

from the report tab, you can see that they trying to call out to IDD number using the above extension. 

Question.. how the hell they can modify the file with root permission ??


Saturday, January 3, 2015

playSMS - how to customise the web look and feel

Surprisingly, under the /var/www/html, you don't find the index.html but index.php instead and despite that, it is not easy to figure out on how they programmed the html.. based on the "source code", from the browser, I can only identify some of the codes are from

./plugin/themes/default/templates/themes_layout.html

but yet to understand the logic behind

playSMS - introduction and tips to customise your own gateway

replicate the gateway directory
/var/www/html/playsms/plugin/gateway

But you also need to change the /var/www/html/playsms/plugin/gateway//config.php and fn.php, try to search for "your name" within this directory to see what others need to be changed. 

You will not be able to access the /playSMS if you only introduced new directory within making the above modifications. 

However, once the above is done, you can access the /playSMS but still I don't see the new your gateway under the "Manage Gateway" menu... so.. need to explore further... 

Thursday, January 1, 2015

fail2ban - to include all Malaysia IP Range into the whilelist

go to http://software77.net/geo-ip/ to extract all the IP ranges with CIDR format

login to server, go to /etc/fail2ban/jail.conf

edit the file and go to "ignoreip" to include all the IP range above

and then restart the fail2ban /etc/rc.d/init.d/fail2ban restart