The extensions_custom.sh was modified and this was notified via the gmail.
However, there are few rows being added at the end of the extensions_custom.sh to allow the hacker to access the asterisk anonymously.
The file continue to be modified as long as the httpd is up and running. The only way to block is to stop the httpd service.
Further checking using the tcpdump
tcpdump -i eth0 port https
It shown that the IP from the germany was trying to access the https..
Further check on this IP on the /var/log/httpd/
you can see that it was trying to access the asterisk via /a2billing/Public folder and
/a2billing//admin/Public/A2B_php_stats.php and in this file, you can see it was trying to access the md5 password for all acl user. maybe from here, it can access all user password..
I used the
/sbin/iptables -I INPUT -s 46.165.210.0/24 -j DROP
to block this specific IP to access our https
Wednesday, February 18, 2015
Backup wav recording file to s3
Firstly, you need to create bucket in the s3 using the following commands
http://s3tools.org/usage
Check the bucket status via amazon gui
https://console.aws.amazon.com/s3/home?region=ap-southeast-1
e.g copy a file into the s3 using s3cmd put s3://
By right, s3 charges is cheaper than the ssd or standard volume
http://s3tools.org/usage
Check the bucket status via amazon gui
https://console.aws.amazon.com/s3/home?region=ap-southeast-1
e.g copy a file into the s3 using s3cmd put
By right, s3 charges is cheaper than the ssd or standard volume
Sunday, January 25, 2015
asterisk was hacked and modified - extensions_custom.conf
the above file was modified to add on the following entries
< [ext-did-0002-custom]
< exten => 60321069614,1,Set(__FROM_DID=${EXTEN})
< exten => 60321069614,n,Gosub(app-blacklist-check,s,1)
< exten => 60321069614,n,ExecIf($[ "${CALLERID(name)}" = "" ] ?Set(CALLERID(name)=${CALLERID(num)}))
< exten => 60321069614,n,Set(__CALLINGPRES_SV=${CALLERPRES()})
< exten => 60321069614,n,Set(CALLERPRES()=allowed_not_screened)
< exten => 60321069614,n(dest-ext),Goto(ext-group,991,1)
< [ext-did-0002-custom]
< exten => 60321069614,1,Set(__FROM_DID=${EXTEN})
< exten => 60321069614,n,Gosub(app-blacklist-check,s,1)
< exten => 60321069614,n,ExecIf($[ "${CALLERID(name)}" = "" ] ?Set(CALLERID(name)=${CALLERID(num)}))
< exten => 60321069614,n,Set(__CALLINGPRES_SV=${CALLERPRES()})
< exten => 60321069614,n,Set(CALLERPRES()=allowed_not_screened)
< exten => 60321069614,n(dest-ext),Goto(ext-group,991,1)
from the report tab, you can see that they trying to call out to IDD number using the above extension.
Question.. how the hell they can modify the file with root permission ??
Saturday, January 3, 2015
playSMS - how to customise the web look and feel
Surprisingly, under the /var/www/html, you don't find the index.html but index.php instead and despite that, it is not easy to figure out on how they programmed the html.. based on the "source code", from the browser, I can only identify some of the codes are from
./plugin/themes/default/templates/themes_layout.html
but yet to understand the logic behind
./plugin/themes/default/templates/themes_layout.html
but yet to understand the logic behind
playSMS - introduction and tips to customise your own gateway
replicate the gateway directory
/var/www/html/playsms/plugin/gateway
But you also need to change the /var/www/html/playsms/plugin/gateway//config.php and fn.php, try to search for "your name" within this directory to see what others need to be changed.
You will not be able to access the/playSMS if you only introduced new directory within making the above modifications.
However, once the above is done, you can access the/playSMS but still I don't see the new your gateway under the "Manage Gateway" menu... so.. need to explore further...
/var/www/html/playsms/plugin/gateway
But you also need to change the /var/www/html/playsms/plugin/gateway/
You will not be able to access the
However, once the above is done, you can access the
Thursday, January 1, 2015
fail2ban - to include all Malaysia IP Range into the whilelist
go to http://software77.net/geo-ip/ to extract all the IP ranges with CIDR format
login to server, go to /etc/fail2ban/jail.conf
edit the file and go to "ignoreip" to include all the IP range above
and then restart the fail2ban /etc/rc.d/init.d/fail2ban restart
login to server, go to /etc/fail2ban/jail.conf
edit the file and go to "ignoreip" to include all the IP range above
and then restart the fail2ban /etc/rc.d/init.d/fail2ban restart
Monday, October 27, 2014
Tables to support the GoIP incoming for both line is either non-busy or busy
When the GSM line is non-busy, GOIP allows user to configure the "Forward to VOIP number", For this case, I have set the VOIP number to 991 (call group in asterisk). And in the asterisk, I customised the 991 in the "/etc/asterisk" extensions_custom.conf with the following code
[ext-group-custom]
; here we start goip call handling
exten => 991,1,Macro(user-callerid,)
exten => 991,n,GotoIf($["foo${BLKVM_OVERRIDE}" = "foo"]?skipdb)
exten => 991,n,GotoIf($["${DB(${BLKVM_OVERRIDE})}" = "TRUE"]?skipov)
exten => 991,n(skipdb),Set(__NODEST=)
exten => 991,n,Set(__BLKVM_OVERRIDE=BLKVM/${EXTEN}/${CHANNEL})
exten => 991,n,Set(__BLKVM_BASE=${EXTEN})
exten => 991,n,Set(DB(${BLKVM_OVERRIDE})=TRUE)
exten => 991,n(skipov),Set(RRNODEST=${NODEST})
exten => 991,n(skipvmblk),Set(__NODEST=${EXTEN})
exten => 991,n,GosubIf($[${DB_EXISTS(RINGGROUP/991/changecid)} = 1 & "${DB(RINGGROUP/991/changecid)}" != "default" & "${DB(RINGGROUP/991/changecid)}" != ""]?sub-rgsetcid,s,1)
exten => 991,n,AGI(callgroup_mapping.agi)
exten => 991,n,NoOP("NewCallGroup=${callgrp}")
exten => 991,n,NoOP("NewCallType=${calltype}")
exten => 991,n,Set(RecordMethod=Group)
exten => 991,n,Macro(record-enable,${callgrp},${RecordMethod})
exten => 991,n,Set(RingGroupMethod=${calltype})
exten => 991,n(DIALGRP),Macro(dial,20,${DIAL_OPTIONS},${callgrp})
exten => 991,n,Set(RingGroupMethod=)
exten => 991,n,GotoIf($["foo${RRNODEST}" != "foo"]?nodest)
exten => 991,n,Set(__NODEST=)
exten => 991,n,Noop(Deleting: ${BLKVM_OVERRIDE} ${DB_DELETE(${BLKVM_OVERRIDE})})
exten => 991,n,Goto(app-blackhole,hangup,1)
exten => 991,n(nodest),Noop(SKIPPING DEST, CALL CAME FROM Q/RG: ${RRNODEST})
as you can see the above, it calls the "callgroup_mapping.agi".
Refer to the /var/lib/asterisk/agi-bin/callgroup_mapping.agi
it search in the cdr table for the last extension call make out to the caller id .
Base on this ext., it searches for goip_callgroup table for the call routing numbers.
The routing number has to be in the format of the call group e.g
7109-60123836313# or 8109-8110-8111
The above is for the non-busy.. as for busy.. the GOIP's SIM FORWARD
to a special number - "0321069278" and for this number, it has customised as "incoming route" for below "extensions_custom.conf"
to call the 991
[ext-did-0002-custom]
exten => 60321069278,1,Set(__FROM_DID=${EXTEN})
exten => 60321069278,n,Gosub(app-blacklist-check,s,1)
exten => 60321069278,n,ExecIf($[ "${CALLERID(name)}" = "" ] ?Set(CALLERID(name)=${CALLERID(num)}))
exten => 60321069278,n,Set(__CALLINGPRES_SV=${CALLERPRES()})
exten => 60321069278,n,Set(CALLERPRES()=allowed_not_screened)
exten => 60321069278,n(dest-ext),Goto(ext-group,991,1)
[ext-group-custom]
; here we start goip call handling
exten => 991,1,Macro(user-callerid,)
exten => 991,n,GotoIf($["foo${BLKVM_OVERRIDE}" = "foo"]?skipdb)
exten => 991,n,GotoIf($["${DB(${BLKVM_OVERRIDE})}" = "TRUE"]?skipov)
exten => 991,n(skipdb),Set(__NODEST=)
exten => 991,n,Set(__BLKVM_OVERRIDE=BLKVM/${EXTEN}/${CHANNEL})
exten => 991,n,Set(__BLKVM_BASE=${EXTEN})
exten => 991,n,Set(DB(${BLKVM_OVERRIDE})=TRUE)
exten => 991,n(skipov),Set(RRNODEST=${NODEST})
exten => 991,n(skipvmblk),Set(__NODEST=${EXTEN})
exten => 991,n,GosubIf($[${DB_EXISTS(RINGGROUP/991/changecid)} = 1 & "${DB(RINGGROUP/991/changecid)}" != "default" & "${DB(RINGGROUP/991/changecid)}" != ""]?sub-rgsetcid,s,1)
exten => 991,n,AGI(callgroup_mapping.agi)
exten => 991,n,NoOP("NewCallGroup=${callgrp}")
exten => 991,n,NoOP("NewCallType=${calltype}")
exten => 991,n,Set(RecordMethod=Group)
exten => 991,n,Macro(record-enable,${callgrp},${RecordMethod})
exten => 991,n,Set(RingGroupMethod=${calltype})
exten => 991,n(DIALGRP),Macro(dial,20,${DIAL_OPTIONS},${callgrp})
exten => 991,n,Set(RingGroupMethod=)
exten => 991,n,GotoIf($["foo${RRNODEST}" != "foo"]?nodest)
exten => 991,n,Set(__NODEST=)
exten => 991,n,Noop(Deleting: ${BLKVM_OVERRIDE} ${DB_DELETE(${BLKVM_OVERRIDE})})
exten => 991,n,Goto(app-blackhole,hangup,1)
exten => 991,n(nodest),Noop(SKIPPING DEST, CALL CAME FROM Q/RG: ${RRNODEST})
as you can see the above, it calls the "callgroup_mapping.agi".
Refer to the /var/lib/asterisk/agi-bin/callgroup_mapping.agi
it search in the cdr table for the last extension call make out to the caller id .
Base on this ext., it searches for goip_callgroup table for the call routing numbers.
The routing number has to be in the format of the call group e.g
7109-60123836313# or 8109-8110-8111
The above is for the non-busy.. as for busy.. the GOIP's SIM FORWARD
to a special number - "0321069278" and for this number, it has customised as "incoming route" for below "extensions_custom.conf"
to call the 991
[ext-did-0002-custom]
exten => 60321069278,1,Set(__FROM_DID=${EXTEN})
exten => 60321069278,n,Gosub(app-blacklist-check,s,1)
exten => 60321069278,n,ExecIf($[ "${CALLERID(name)}" = "" ] ?Set(CALLERID(name)=${CALLERID(num)}))
exten => 60321069278,n,Set(__CALLINGPRES_SV=${CALLERPRES()})
exten => 60321069278,n,Set(CALLERPRES()=allowed_not_screened)
exten => 60321069278,n(dest-ext),Goto(ext-group,991,1)
So the above try to loop back to the 991.
Subscribe to:
Posts (Atom)